Zimbra

uxbod · #11 (**permalink**) 04-21-2010, 08:14 AM

Can you temporarily move BotNet.pm out of the way and do

Code:

su - zimbra
zmamavisdctl restart

and then send another test email to see if it still hits ?

imx · #12 (**permalink**) 04-21-2010, 08:16 AM

Already tried this, was running for a few days without in dropped into the config - still fires RDNS_NONE, so i just had to tune it down to 0.001....

uxbod · #13 (**permalink**) 04-21-2010, 08:27 AM

Hmmm very odd. Okay, how about creating a dummy email. You can use one of your test ones but remove all the SA and Amavis headers. Then use the same spamassassin command but without the --line and redirect the email into it. We can then see how SA is interpreting it.

imx · #14 (**permalink**) 04-21-2010, 08:53 AM

Ok....i see conflicts:

Quote:

[17018] dbg: rules: ran header rule __RDNS_NONE ======> got hit: "[ ip=xx.xx.61.41 rdns= "

So rdns= nothing, however botnet see's it resolve but still flags a hit:

Quote:

[17018] dbg: Botnet: starting
[17018] dbg: Botnet: no trusted relays
[17018] dbg: Botnet: get_relay didn't find RDNS
[17018] dbg: Botnet: IP is 'xx.xx.61.41'
[17018] dbg: Botnet: RDNS is 'dsl.domain.com'
[17018] dbg: Botnet: HELO is ''
[17018] dbg: Botnet: sender ''

I can dig/dig -x, including +trace, forward and reverse records...i dont get it....