On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm still a bit vague on how the SpamAssassin rules fit together but
> I've noticed that, since upgrading to the latest version, I'm getting a
> lot of false positives.
>
> The common cause seems to be Botnet.cf.


Botnet is very aggressive by default. Combining it with p0f it is
almost useful. setting up p0f support is a non-trivial exercise, for
which there are good articles in the archives that would explain it much
better than I could do here.

My rules are:

meta BOTNET_WXP !DKIM_VERIFIED && !DK_VERIFIED && L_P0F_WXP &&
(BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_WXP 3.2

meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && ( L_P0F_W ||
L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_W 2.0

meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS
+BOTNET_NORDNS) > 0
score BOTNET_OTHER 0.5

I'm still getting a trickle of false positives, but that seems to be
much more realistic than 5 for everything.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com