Re: Botnet spam not being caught

2009-06-15 Thread Benny Pedersen
On Man, Juni 15, 2009 02:59, Chip M. wrote: > You might want to make some meta rules for those two cases (China > TLD in a URL, Sender == Recipient). http://www.nabble.com/postfwd-stop-equal-sender-recipient-spams-td21164908.html dont waste resources in mta :) -- http://localhost/ 100% uptime

Re: Botnet spam not being caught

2009-06-15 Thread LuKreme
On 14-Jun-2009, at 22:46, LuKreme wrote: On Jun 14, 2009, at 18:59, "Chip M." wrote: In all (5) of the hams I found, the IP was in IANA Reserved space (specifically 192.168.0.0/16). Most where in reserved space, but by no means all of them. I checked 2.5 months worth of logs for my most div

Re: Botnet spam not being caught

2009-06-14 Thread LuKreme
On Jun 14, 2009, at 18:59, "Chip M." wrote: In all (5) of the hams I found, the IP was in IANA Reserved space (specifically 192.168.0.0/16). Most where in reserved space, but by no means all of them. I checked 2.5 months worth of logs for my most diverse domain, and found only 5 (out of 2139

Re: Botnet spam not being caught

2009-06-14 Thread Chip M.
Charles Gregory wrote: >Do they all have message ID's that include the IP? You could score >that 0.3 or so to help push it over the line. Also give a bit mroe Shiny - I had not noticed this pattern. Thanks guys! :) LuKreme wrote: >and found it hit more mailinglist ham than spam, so I'd tread >ca

Re: [sa] Re: Botnet spam not being caught

2009-06-14 Thread Charles Gregory
On Sun, 14 Jun 2009, John Hardin wrote: header MSGIDIP Message-Id =~ /\...@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/ Refine that just a tiny bit: header MSGIDIP Message-Id =~ /\...@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/ LOL! Busted! I was being lazy! - C

Re: Botnet spam not being caught

2009-06-14 Thread John Hardin
On Sun, 14 Jun 2009, Charles Gregory wrote: On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they al

Re: Botnet spam not being caught

2009-06-14 Thread Charles Gregory
On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MY

Re: Botnet spam not being caught

2009-06-14 Thread Benny Pedersen
On Søn, Juni 14, 2009 03:10, MySQL Student wrote: > Home | Contact Us | Privacy Policy | Terms of Use | Unsubscribe | this is spammy line, with often faked domains (content looks like micro$oft) but url is not there domain > Where can I go from here? sa-learn --spam < msg and or make a rule f

Re: Botnet spam not being caught

2009-06-13 Thread LuKreme
On 13-Jun-2009, at 19:56, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MYMSGIPMessage-ID =~ /78.97.185

Re: Botnet spam not being caught

2009-06-13 Thread John Rudd
On Sat, Jun 13, 2009 at 18:56, MySQL Student wrote: > > I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's > also weighted at 0.0. Is there a reason for this? There's two ways to use Botnet: 1) one big rule (BOTNET) that rolls up all of the sub-rule scores. 2) triggering

Re: Botnet spam not being caught

2009-06-13 Thread John Rudd
On Sat, Jun 13, 2009 at 18:47, MySQL Student wrote: > Hi John, > >> Botnet seems to have caught that just fine (it's listed in the rules >> which were triggered).  The problem is either that you're running it >> at a lower score (which you could also do for Botnet0.8 if you wanted >> to upgrade --

Re: Botnet spam not being caught

2009-06-13 Thread MySQL Student
Hi Charles, Received: from [78.97.185.89] (unknown [78.97.185.89]) >> Message-ID: >> > > Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MYMSGIPMessage-ID =~ /78.97.185.89/ score MYMSGIP0.3 desc

Re: Botnet spam not being caught

2009-06-13 Thread MySQL Student
Hi John, Botnet seems to have caught that just fine (it's listed in the rules > which were triggered). The problem is either that you're running it > at a lower score (which you could also do for Botnet0.8 if you wanted > to upgrade -- their default scores are exactly the same), or you need > oth

Re: Botnet spam not being caught

2009-06-13 Thread Charles Gregory
On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? You could score that 0.3 or so to help push it over the line. Also give a bit mroe score to the RDNS rules You also might want

Re: Botnet spam not being caught

2009-06-13 Thread John Rudd
Botnet seems to have caught that just fine (it's listed in the rules which were triggered). The problem is either that you're running it at a lower score (which you could also do for Botnet0.8 if you wanted to upgrade -- their default scores are exactly the same), or you need other rules/configs t

Botnet spam not being caught

2009-06-13 Thread MySQL Student
Hi all, I'm using SA-3.2.5 on Linux and my system is being deluged with spam that isn't being caught, apparently from botnets. I'm using botnet-0.7. The subject is random and the "Received from" header is always an unresolvable IP. Is there a more robust botnet plugin that may be more effective? B