On Tue, 09 May 2017 09:10:37 -0500
Chris wrote:
> Last night I changed the Botnet score to 1.0 and restarted SA however
> I see above that it still gave it a '5'.
>
> describe BOTNET Relay might be a spambot
> or virusbot
> headerBOTNET eva
On Mon, 8 May 2017 18:44:41 -0500 (CDT)
David B Funk wrote:
> Years ago I dropped the default Botnet score (5.0) way down because
> of FPs like this.
The monolithic BOTNET rule is doing something analogous
to (RDNS_DYNAMIC || NO_RDNS).
I don't use that, I bring out the individual BOTNET subrule
On Tue, 2017-05-09 at 13:30 +0100, RW wrote:
> On Mon, 08 May 2017 19:59:06 -0500
> Chris wrote:
>
>
> >
> > I guess this rule hit is something that can't be avoided. I guess I
> > could lower the score but then that would defeat the purpose of the
> > rule.
> >
> > 5.5 KAM_STOCKTIP E
On Tue, 2017-05-09 at 12:28 +, David Jones wrote:
> >
> > From: David B Funk
>
> >
> > >
> > > On Mon, 8 May 2017, Chris wrote:
> > >
> >
> > I'd be concerned with what caused the DKIM signature to fail
> > validation.
> > (DKIM_SIGNED, T_DKIM_INVALID).
> > If something in the mail c
On Mon, 2017-05-08 at 20:54 -0500, David B Funk wrote:
> On Mon, 8 May 2017, Chris wrote:
>
> >>> whitelist_auth *@*.us-cert.gov us-cert.gov
> >> This should be:
> >>
> >> whitelist_auth *@*.us-cert.gov
> >>
> > I don't know why I keep putting the second entry in my 'my-
> > whitelist.cf' file. I
On Tue, 9 May 2017 12:28:13 +
David Jones wrote:
> Chris, how are you launching SA on your mail server? It looks like
> the body has been altered to add a warning at the top with a "Content
> preview:".
>
That what you get if you set report_safe non-zero.
On Mon, 08 May 2017 19:59:06 -0500
Chris wrote:
> I guess this rule hit is something that can't be avoided. I guess I
> could lower the score but then that would defeat the purpose of the
> rule.
>
> 5.5 KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
I ran it through the KAM rules
>From: David B Funk
>> On Mon, 8 May 2017, Chris wrote:
>>
>I'd be concerned with what caused the DKIM signature to fail validation.
>(DKIM_SIGNED, T_DKIM_INVALID).
>If something in the mail chain is breaking DKIM validation then attempts to
>use
>things like whitelist_auth are doomed to f
