Re: Botnet over aggressive?
On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote:[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I'm still a bit vague on how the SpamAssassin rules fit together but
> I've noticed that, since upgrading to the latest version, I'm getting a
> lot of false positives.
> The common cause seems to be Botnet.cf.[/color]
Botnet is very aggressive by default. Combining it with p0f it is
almost useful. setting up p0f support is a non-trivial exercise, for
which there are good articles in the archives that would explain it much
better than I could do here.
My rules are:
meta BOTNET_WXP !DKIM_VERIFIED && !DK_VERIFIED && L_P0F_WXP &&
(BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_WXP 3.2
meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && ( L_P0F_W ||
L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_W 2.0
meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS
+BOTNET_NORDNS) > 0
score BOTNET_OTHER 0.5
I'm still getting a trickle of false positives, but that seems to be
much more realistic than 5 for everything.
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX