Return-Path: 
 <users-return-94476-apmail-spamassassin-users-archive=spamassassin.apache.org@spamassassin.apache.org>
X-Original-To: apmail-spamassassin-users-archive@www.apache.org
Delivered-To: apmail-spamassassin-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3674664C4
	for <apmail-spamassassin-users-archive@www.apache.org>;
 Sun,  3 Jul 2011 00:21:24 +0000 (UTC)
Received: (qmail 89503 invoked by uid 500); 3 Jul 2011 00:21:21 -0000
Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org
Received: (qmail 89399 invoked by uid 500); 3 Jul 2011 00:21:20 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 89391 invoked by uid 99); 3 Jul 2011 00:21:20 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 00:21:20 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,MANY_SUBDOM,NORMAL_HTTP_TO_IP,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of Lee@dilkie.com designates
 142.46.160.214 as permitted sender)
Received: from [142.46.160.214] (HELO spock.dilkie.com) (142.46.160.214)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 00:21:16 +0000
Received: from [IPv6:2001:470:8900:0:10c4:f8b0:bc6:8cc4]
 ([IPv6:2001:470:8900:0:10c4:f8b0:bc6:8cc4])
	(authenticated bits=0)
	by spock.dilkie.com (8.14.4/8.14.4) with ESMTP id p630Kaqg078964
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Sat, 2 Jul 2011 20:20:37 -0400 (EDT)
	(envelope-from Lee@dilkie.com)
X-DKIM: Sendmail DKIM Filter v2.8.3 spock.dilkie.com p630Kaqg078964
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dilkie.com; s=mail;
	t=1309652438; bh=bHFRB0Z+7KiMcxnWdq/iUZYKAdNcQnrJuqpKvYcdrJE=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	 In-Reply-To:Content-Type;
	b=mdu+WcXiP0UM0uWOHyyfplO8lsCmfDJQngICfJoJTz17HVd8WDeBvxiNcv+6NdtRg
	 2ie1XortJpC6dxUsvKtzVDgTWm1zRcDPAdJY6AkLrnY97jAfnklRhmyhiFE0bCz
Message-ID: <4E0FB5DB.6010803@dilkie.com>
Date: Sat, 02 Jul 2011 20:20:43 -0400
From: Lee Dilkie <Lee@dilkie.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
 rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: Yves Goergen <nospam.list@unclassified.de>
CC: Matthew Newton <mcn4@leicester.ac.uk>, users@spamassassin.apache.org
Subject: Re: BOTNET IPv6 patch
References: <20110630110606.GB12942@rootmail.cc.le.ac.uk>
 <4E0ED179.6010802@unclassified.de>
In-Reply-To: <4E0ED179.6010802@unclassified.de>
X-Enigmail-Version: 1.1.1
Content-Type: multipart/alternative;
 boundary="------------090201060403060802060806"
X-Scanned-By: MIMEDefang 2.68 on IPv6:2001:470:8900::40

This is a multi-part message in MIME format.
--------------090201060403060802060806
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

interesting.

the ipv6 address is correct, spock.dilkie.com was the source of the email.

however, the quoted ipv4 address, 216.191.234.70 is my employer's mail
gateway (Mitel), and I suspect the script grabbed the ip address I used
to send the test message to my server that was relayed to Yves. (ie. the
first hop was ipv4, the second was ipv6).

-lee


On 7/2/2011 4:06 AM, Yves Goergen wrote:
> On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote:
>> On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
>>>> Received: from sp***ck.di***ie.com ([2001:***::40])
>>>> 	by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
>>>> 	(Exim 4.71)
>>>> 	(envelope-from <L***e@Di***ie.com>)
>>>> 	id 1Qc0UA-0001R3-DT
>>>> 	for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200
>>>> X-Spam-Report: Content analysis details:
>>>>   0.2 BOTNET                 Relay might be a spambot or virusbot
>>>>                      [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
>>> Doesn't seem to work. It's a false positive again. And Botnet recognises
>>> the incoming IPv6 address as some IPv4 address and reports that one.
>> That doesn't look right - unless your munging has really messed it
>> up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"
>>
>> Do a dig -x against that IPv4 address, and the 2001:***::40
>> address, and see if both have correct PTRs.
> I cannot interpret the results:
>
>> $ dig -x 216.191.234.70
>>
>> ; <<>> DiG 9.7.0-P1 <<>> -x 216.191.234.70
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;70.234.191.216.in-addr.arpa.	IN	PTR
>>
>> ;; AUTHORITY SECTION:
>> 234.191.216.in-addr.arpa. 3446	IN	SOA	ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 3600 900 604800 21600
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
>> ;; WHEN: Sat Jul  2 10:02:25 2011
>> ;; MSG SIZE  rcvd: 118
> and
>
>> $ dig -x 2001:470:8900::40
>>
>> ; <<>> DiG 9.7.0-P1 <<>> -x 2001:470:8900::40
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34084
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
>>
>> ;; ANSWER SECTION:
>> 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com.
>>
>> ;; Query time: 1141 msec
>> ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
>> ;; WHEN: Sat Jul  2 10:02:38 2011
>> ;; MSG SIZE  rcvd: 120
> (I figured out it's useless to obfuscate addresses and names here as
> they're sent over the list as well.)
>

--------------090201060403060802060806
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffcc" text="#000000">
    interesting.<br>
    <br>
    the ipv6 address is correct, spock.dilkie.com was the source of the
    email.<br>
    <br>
    however, the quoted ipv4 address, 216.191.234.70 is my employer's
    mail gateway (Mitel), and I suspect the script grabbed the ip
    address I used to send the test message to my server that was
    relayed to Yves. (ie. the first hop was ipv4, the second was ipv6).<br>
    <pre class="moz-signature" cols="72">
-lee</pre>
    <br>
    On 7/2/2011 4:06 AM, Yves Goergen wrote:
    <blockquote cite="mid:4E0ED179.6010802@unclassified.de" type="cite">
      <pre wrap="">On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote:
</pre>
        <blockquote type="cite">
          <blockquote type="cite">
            <pre wrap="">Received: from sp***ck.di***ie.com ([2001:***::40])
	by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71)
	(envelope-from <a class="moz-txt-link-rfc2396E" href="mailto:L***e@Di***ie.com">&lt;L***e@Di***ie.com&gt;</a>)
	id 1Qc0UA-0001R3-DT
	for <a class="moz-txt-link-abbreviated" href="mailto:nospam.list@un***ed.de">nospam.list@un***ed.de</a>; Wed, 29 Jun 2011 21:31:44 +0200
X-Spam-Report: Content analysis details:
  0.2 BOTNET                 Relay might be a spambot or virusbot
                     [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns]
</pre>
          </blockquote>
          <pre wrap="">Doesn't seem to work. It's a false positive again. And Botnet recognises
the incoming IPv6 address as some IPv4 address and reports that one.
</pre>
        </blockquote>
        <pre wrap="">
That doesn't look right - unless your munging has really messed it
up. BOTNET seemed to check an IPv4 address there: "2**.1**.2**.7*"

Do a dig -x against that IPv4 address, and the 2001:***::40
address, and see if both have correct PTRs.
</pre>
      </blockquote>
      <pre wrap="">
I cannot interpret the results:

</pre>
      <blockquote type="cite">
        <pre wrap="">$ dig -x 216.191.234.70

; &lt;&lt;&gt;&gt; DiG 9.7.0-P1 &lt;&lt;&gt;&gt; -x 216.191.234.70
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 22386
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;70.234.191.216.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
234.191.216.in-addr.arpa. 3446	IN	SOA	ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 3600 900 604800 21600

;; Query time: 1 msec
;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
;; WHEN: Sat Jul  2 10:02:25 2011
;; MSG SIZE  rcvd: 118
</pre>
      </blockquote>
      <pre wrap="">
and

</pre>
      <blockquote type="cite">
        <pre wrap="">$ dig -x 2001:470:8900::40

; &lt;&lt;&gt;&gt; DiG 9.7.0-P1 &lt;&lt;&gt;&gt; -x 2001:470:8900::40
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 34084
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com.

;; Query time: 1141 msec
;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2)
;; WHEN: Sat Jul  2 10:02:38 2011
;; MSG SIZE  rcvd: 120
</pre>
      </blockquote>
      <pre wrap="">
(I figured out it's useless to obfuscate addresses and names here as
they're sent over the list as well.)

</pre>
    </blockquote>
  </body>
</html>

--------------090201060403060802060806--