Re: BOTNET hits on ham

Congrats on these complete and comprehensible sentences. Must have taken longer to write this reply, than throwing together your original question. On Sun, 2014-07-27 at 17:30 -0500, Chris wrote: > I pasted the message headers, if you had wanted the SA headers also I > would have provided them but

Re: BOTNET hits on ham

On Mon, 2014-07-28 at 00:21 +0200, Karsten Bräckelmann wrote: > On Sun, 2014-07-27 at 16:06 -0500, Chris wrote: > > On Sun, 2014-07-27 at 22:21 +0200, Karsten Bräckelmann wrote: > > > > Please do use line-breaks where appropriate. > > > > > > Also, we'll need the sample, at least the full headers

Re: BOTNET hits on ham

On Sun, 2014-07-27 at 16:06 -0500, Chris wrote: > On Sun, 2014-07-27 at 22:21 +0200, Karsten Bräckelmann wrote: > > Please do use line-breaks where appropriate. > > > > Also, we'll need the sample, at least the full headers. Put them up a > > pastebin and provide the link. > > Link to the header

Re: BOTNET hits on ham

On Sun, 2014-07-27 at 22:21 +0200, Karsten Bräckelmann wrote: > On Sun, 2014-07-27 at 13:08 -0500, Chris wrote: > > I keep getting BOTNET scores on Fox News Breaking News alerts from > > FoxNews.com > > in /etc/mail/spamassassin/my-whitelis.cf I have this line - > > whitelist_from_rcvd foxn...@new

Re: BOTNET hits on ham

On Sun, 2014-07-27 at 13:08 -0500, Chris wrote: > I keep getting BOTNET scores on Fox News Breaking News alerts from > FoxNews.com > in /etc/mail/spamassassin/my-whitelis.cf I have this line - > whitelist_from_rcvd foxn...@newsletters.foxnews.com > newsletters.foxnews.com I've added this line to t

Re: BOTNET IPv6 patch

Hi Yves, On Sat, Jul 02, 2011 at 10:06:17AM +0200, Yves Goergen wrote: > >> Doesn't seem to work. It's a false positive again. And Botnet recognises > >> the incoming IPv6 address as some IPv4 address and reports that one. > > > > That doesn't look right - unless your munging has really messed it

Re: BOTNET IPv6 patch

interesting. the ipv6 address is correct, spock.dilkie.com was the source of the email. however, the quoted ipv4 address, 216.191.234.70 is my employer's mail gateway (Mitel), and I suspect the script grabbed the ip address I used to send the test message to my server that was relayed to Yves. (i

Re: BOTNET IPv6 patch

On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote: > On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote: >>> Received: from sp***ck.di***ie.com ([2001:***::40]) >>> by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) >>> (Exim 4.71) >>> (envelope-from ) >>> id 1Q

Re: BOTNET IPv6 patch

Hi, On Thu, Jun 30, 2011 at 04:07:57PM +0200, Mark Martinec wrote: > (I'm Cc'ing to Matthew in case he wants to check how it turns out > on his mailer). Arrived over IPv6 fine here, and did not hit (patched) BOTNET. Cheers Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networ

Re: BOTNET IPv6 patch

Yves, > > Btw, this Cc should be arriving over IPv6 too... > Sorry, it's here indeed. And Botnet has caught it again. :( > > Some of the headers: > > Received: from mail.ijs.si ([2001:1470:ff80::25]) > > by dotforward.de with esmtp (Exim 4.71) > > (envelope-from ) > > id 1Qc3nH-

Re: BOTNET IPv6 patch

On Thu, Jun 30, 2011 at 12:06:06PM +0100, Matthew Newton wrote: > > Doesn't seem to work. It's a false positive again. And Botnet recognises > > the incoming IPv6 address as some IPv4 address and reports that one. > > That doesn't look right - unless your munging has really messed it > up. BOTNET

Re: BOTNET IPv6 patch

Hi Yves, On Wed, Jun 29, 2011 at 09:03:52PM +0200, Yves Goergen wrote: > I was looking for an IPv6 fix for Botnet before but nobody (including > me) was able to do it. I have now looked at your solution and to my > Perl-unexperienced eyes, it looks promising. > > I have installed it on my server

Re: BOTNET IPv6 patch

On Thu, 30 Jun 2011 09:05:20 +0200, Yves Goergen wrote: Is somebody else interested in testing this Botnet version and have me sending a message to him? maybe me ? does my ipv6 have reverse ptr dns ? btw subscribe to isc.org mailllists (bind, dhcp...) thay are on ipv6

Re: BOTNET IPv6 patch

On 30.06.2011 01:03 CE(S)T, Mark Martinec wrote: > Btw, this Cc should be arriving over IPv6 too... Mark, I didn't receive your direct copy until now. And the list message arrived through IPv4 (mail.apache.org). But I did receive a message through IPv6 from somebody else, and this time Botnet di

Re: BOTNET IPv6 patch

On Wednesday June 29 2011 21:59:52 Yves Goergen wrote: > On 29.06.2011 21:03 CE(S)T, Yves Goergen wrote: > > Could somebody please just send me a message from an IPv6 > > mail server to my address? (Preferably from a host that should not be > > caught by Botnet...) > [...] > Doesn't seem to work. I

Re: BOTNET IPv6 patch

On 29.06.2011 21:03 CE(S)T, Yves Goergen wrote: > Could somebody please just send me a message from an IPv6 > mail server to my address? (Preferably from a host that should not be > caught by Botnet...) Here's a mail I just received: (thank you to the sender) > Received: from sp***ck.di***ie.com

Re: BOTNET IPv6 patch

On 13.06.2011 13:51 CE(S)T, Matthew Newton wrote: >> Can you post the patched Botnet.pm and Botnet.cf, that would be cool. > > I've put the patched Botnet.pm here: > > http://www.le.ac.uk/users/mcn4/botnet/ Hi, I was looking for an IPv6 fix for Botnet before but nobody (including me) was able t

Re: BOTNET IPv6 patch

On 6/13/2011 7:51 AM, Matthew Newton wrote: I've therefore hacked together the following patch to Botnet.pm (0.8). It should fix the main issue that BOTNET does not do any lookups for IP addresses that look like IPv6 addresses. It I've put the patched Botnet.pm here: http://www.le.ac.uk/

Re: BOTNET IPv6 patch

13.6.2011 14:51, Matthew Newton kirjoitti: > Hi, > > On Sat, Jun 11, 2011 at 02:44:19AM +0300, Jari Fredriksson wrote: >> 11.6.2011 0:41, Matthew Newton kirjoitti: >>> >>> I've therefore hacked together the following patch to Botnet.pm >>> (0.8). It should fix the main issue that BOTNET does not d

Re: BOTNET IPv6 patch

Hi, On Sat, Jun 11, 2011 at 02:44:19AM +0300, Jari Fredriksson wrote: > 11.6.2011 0:41, Matthew Newton kirjoitti: > > > > I've therefore hacked together the following patch to Botnet.pm > > (0.8). It should fix the main issue that BOTNET does not do any > > lookups for IP addresses that look

Re: BOTNET IPv6 patch

11.6.2011 0:41, Matthew Newton kirjoitti: > > I've therefore hacked together the following patch to Botnet.pm > (0.8). It should fix the main issue that BOTNET does not do any > lookups for IP addresses that look like IPv6 addresses. It Hi! I really need that, but the patch did not work, ot

Re: BOTNET rules question

On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote: > --- Botnet.pm.ori 2007-08-06 03:53:55.0 +0200 > +++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100 > @@ -703,4 +703,6 @@ > my ($resolver, $query, $rr, $i, @a); > > + return 1 if defined $ip && $ip =~ /:/; # does not handle IPv6

Re: BOTNET rules question

On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote: > Nertheless, out of necessity, here is a quick hack to prevent > Botnet FPs on IPv6 connections (that came with a bunch of > emitted warnings that accompanied each such mail message). Thank you very much for your IPv6 patch. I've seen the problem m

Re: BOTNET rules question

> On 1/5/2011 5:11 PM, Mark Martinec wrote: > > Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection, > > regardless of its rDNS. If someone is interested in a quick hack > > patch, I can post it. > > Mark, please do post the patch. It's good to see that someone is > supporting t

Re: BOTNET rules question

On 6.1.2011 15:42, Henrik K wrote: > On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote: >> On 6.1.2011 0:10, Lawrence @ Rogers wrote: >>> >>> I would remove the p0f and botnet rules if I were you. That would solve >>> your problem. >>> >> >> I find BOTNET an excellent addition to my

Re: BOTNET rules question

On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote: > On 6.1.2011 0:10, Lawrence @ Rogers wrote: > > > > I would remove the p0f and botnet rules if I were you. That would solve > > your problem. > > > > I find BOTNET an excellent addition to my SA. Of course it is, most spam is fr

Re: BOTNET rules question

On 6.1.2011 0:10, Lawrence @ Rogers wrote: > > I would remove the p0f and botnet rules if I were you. That would solve > your problem. > I find BOTNET an excellent addition to my SA. TOP SPAM RULES FIRED -- RANKRULE NAME

Re: BOTNET rules question

On ons 05 jan 2011 23:10:41 CET, "Lawrence @ Rogers" wrote I would remove the p0f and botnet rules if I were you. That would solve your problem. it will not solve it for others unless reverse dns is solved aswell -- xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: BOTNET rules question

On ons 05 jan 2011 22:52:41 CET, Michael Monnerie wrote I received this info from a customer, whose order confirmation from the londontheatredirect.com got marked as spam because of BOTNET* rules. Are those rules too old, or is that server in a botnet? How to find out? Or which rules scores shou

Re: BOTNET rules question

On 1/5/2011 5:11 PM, Mark Martinec wrote: Combining p0f with BOTNET is indended to *reduce* the high number of false positives that BOTNET alone produces, *at least* for the non-windows machines. The windows hosts are left alone and are not protected by p0f from BOTNET FP. If someone is scoring

Re: BOTNET rules question

Combining p0f with BOTNET is indended to *reduce* the high number of false positives that BOTNET alone produces, *at least* for the non-windows machines. The windows hosts are left alone and are not protected by p0f from BOTNET FP. If someone is scoring p0f in combination with BOTNET differently,

Re: BOTNET rules question

On 05/01/2011 8:38 PM, RW wrote: Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero. Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f in a metarule. However, you might want to look into this inconsistency: You are right about the overlapping and one rule

Re: BOTNET rules question

On Wed, 05 Jan 2011 18:40:41 -0330 "Lawrence @ Rogers" wrote: > I would suspect that you are using non-standard rules. What's most > concerning is the old p0f rules that are looking for Windows XP. That > is dangerous and a bad thing to use as a rule (the OS of the sender). Aside from BOTNET_W

Re: BOTNET rules question

On 05/01/2011 6:22 PM, Michael Monnerie wrote: Dear list, I received this info from a customer, whose order confirmation from the londontheatredirect.com got marked as spam because of BOTNET* rules. Are those rules too old, or is that server in a botnet? How to find out? Or which rules scores sh

Re: BOTNET rules question

On 1/5/11 4:52 PM, Michael Monnerie wrote: server88-208-245-26.live- servers.net botnet is NOT an stock SA rule plus, look at the silly DYNAMIC RULE LOOKING rdns. fix rdns. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation *

Re: Botnet plugin still relevant?

John Hardin wrote on Mon, 22 Mar 2010 10:47:35 -0700 (PDT): > How do you reject mail from a non-static IP without doing a DNSBL lookup > (e.g. Zen)? we are talking about lookups from SA here ;-) And these you can disable if you reject such mail, anyway. Kai -- Get your web at Conactive Inter

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010, Kai Schaetzl wrote: Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses

Re: Botnet plugin still relevant?

Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: > This brings it over the 8 threshold, although it is a legitimate email > From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John H

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010 10:51:20 -0400 micah anderson wrote: > Yeah, I've been having problems recently which I think are related to > me using both Zen/PBL along with the Botnet plugin weighted to score > level 5, even if I were to have it lower at 3 it would still be too > much. If you look in t

Re: Botnet plugin still relevant?

micah anderson wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Are you using the PBL appropriately?

Re: Botnet plugin still relevant?

On Mon, 22 Mar 2010, micah anderson wrote: Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 l

Re: Botnet plugin still relevant?

On Mon, Mar 22, 2010 at 07:51, micah anderson wrote: > From a user who has unfortunately been saddled with a dynamic IP that > previously was used by a spammer. No amount of explanation to these > users about this is going to assuage their feelings, and there isn't > really anything that can be d

Re: Botnet plugin still relevant?

On 22.3.2010 16:51, micah anderson wrote: > On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd wrote: >> Some people need to put in some alternate values for DNS timeouts, but >> if you've got a local caching name server, you typically don't need >> that. >> >> There aren't any actual bugs in it that I

Re: Botnet plugin still relevant?

On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd wrote: > Some people need to put in some alternate values for DNS timeouts, but > if you've got a local caching name server, you typically don't need > that. > > There aren't any actual bugs in it that I'm aware of, so I haven't > released a new versi

Re: Botnet plugin still relevant?

On Wed, 17 Mar 2010 17:34:08 -0400 Micah Anderson wrote: > > Hi, > > I've been using the Botnet plugin version 0.8 for some time now, and > the plugin itself has been around since 2003 or so. I'm just curious > to test the waters and see what other's think about the relevance in > 2010 of this

Re: Botnet plugin still relevant?

Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat contr

Re: Botnet keeps tripping

yeah, RW pretty much hit this one on the head. You're going to need to exempt it by IP, not by domain name. On Thu, Nov 5, 2009 at 19:56, RW wrote: > On Fri, 6 Nov 2009 03:28:40 + > RW wrote: > > >>                              The mail.nisdtx.org in the headers is >> just a helo, so there'

Re: Botnet keeps tripping

On Fri, 6 Nov 2009 03:28:40 + RW wrote: > The mail.nisdtx.org in the headers is > just a helo, so there's no real evidence for nisdtx.org anywhere in > the headers. The plugin could do its own A-record lookup on > mail.nisdtx.org and verify it against the IP addr

Re: Botnet keeps tripping

On Thu, 5 Nov 2009 19:39:10 -0600 Jonathan Nichols wrote: > This might be very simple, but Botnet keeps triggering on a local > school district. I THOUGHT that I added it to the pass_domains list > correctly. I'm not 100% sure, but I think the issue is that it hits BOTNET because mail.nisdtx

RE: [sa] Re: BOTNET timeouts?

Blazing Fast Slap ya twice for ya know it JH wrote: > A word of advice, though: your rants would be a great deal > more impressive and might actually generate some respect for > your opinions if they displayed a greater degree of > sophistication than that possessed by an average seventh-gra

Re: [sa] Re: BOTNET timeouts?

Bill Landry a écrit : >> Bill Landry a écrit : >>> Res wrote: On Sat, 13 Jun 2009, Charles Gregory wrote: > On Sun, 14 Jun 2009, Res wrote: >> Though now its Sunday, I have socialising to do, and none of that >> includes sitting on mailing lists listening to cry babies who exp

Re: [sa] Re: BOTNET timeouts?

> Bill Landry a écrit : >> Res wrote: >>> On Sat, 13 Jun 2009, Charles Gregory wrote: >>> On Sun, 14 Jun 2009, Res wrote: > Though now its Sunday, I have socialising to do, and none of that > includes sitting on mailing lists listening to cry babies who expect > people involved in

Re: [sa] Re: BOTNET timeouts?

On Sun, 14 Jun 2009, John Hardin wrote: Last time I looked, Justin ran this list, not you. you, and if Justin has a problem with it _he_ can take care of it. Exactly. A word of advice, though: your rants would be a great deal more impressive Errr, I'm not here to impress anyone and mi

Re: [sa] Re: BOTNET timeouts?

On Sun, 14 Jun 2009, Bill Landry wrote: Maybe you could add your email address to your outbound mail server's killfile. I know that would deprive the world of your comic relief, but What, and not have the delight of showing you for the sook and demanding whiner that you are? not a chance :)

Re: [sa] Re: BOTNET timeouts?

On Sun, 14 Jun 2009, Charles Gregory wrote: A killfile. That would be the place to put "cry babies" wouldn't it? Good idea. Glad you thought of it. Go do it. Add me while you're at it. Sorry dont use em, I save sooks like you for rainy weekends so i can have more fun when I'm bored. -- Res

Re: [sa] Re: BOTNET timeouts?

Bill Landry a écrit : > Res wrote: >> On Sat, 13 Jun 2009, Charles Gregory wrote: >> >>> On Sun, 14 Jun 2009, Res wrote: Though now its Sunday, I have socialising to do, and none of that includes sitting on mailing lists listening to cry babies who expect people involved in OSSP's to

Re: Botnet spam not being caught

On Man, Juni 15, 2009 02:59, Chip M. wrote: > You might want to make some meta rules for those two cases (China > TLD in a URL, Sender == Recipient). http://www.nabble.com/postfwd-stop-equal-sender-recipient-spams-td21164908.html dont waste resources in mta :) -- http://localhost/ 100% uptime

Re: Botnet spam not being caught

On 14-Jun-2009, at 22:46, LuKreme wrote: On Jun 14, 2009, at 18:59, "Chip M." wrote: In all (5) of the hams I found, the IP was in IANA Reserved space (specifically 192.168.0.0/16). Most where in reserved space, but by no means all of them. I checked 2.5 months worth of logs for my most div

Re: Botnet spam not being caught

On Jun 14, 2009, at 18:59, "Chip M." wrote: In all (5) of the hams I found, the IP was in IANA Reserved space (specifically 192.168.0.0/16). Most where in reserved space, but by no means all of them. I checked 2.5 months worth of logs for my most diverse domain, and found only 5 (out of 2139

Re: Botnet spam not being caught

Charles Gregory wrote: >Do they all have message ID's that include the IP? You could score >that 0.3 or so to help push it over the line. Also give a bit mroe Shiny - I had not noticed this pattern. Thanks guys! :) LuKreme wrote: >and found it hit more mailinglist ham than spam, so I'd tread >ca

Re: [sa] Re: BOTNET timeouts?

On Mon, 15 Jun 2009, Res wrote: On Sat, 13 Jun 2009, John Hardin wrote: On Sun, 14 Jun 2009, Res wrote: > It's the weekend and I was bored :) This list does not exist to provide you amusement. Last time I looked, Justin ran this list, not you. That's true. Fair enough, comment withdra

Re: [sa] Re: BOTNET timeouts?

Res wrote: > On Sat, 13 Jun 2009, Charles Gregory wrote: > >> On Sun, 14 Jun 2009, Res wrote: >>> Though now its Sunday, I have socialising to do, and none of that >>> includes sitting on mailing lists listening to cry babies who expect >>> people involved in OSSP's to drop everything and be their

Re: [sa] Re: BOTNET timeouts?

On Mon, 15 Jun 2009, Res wrote: On Sat, 13 Jun 2009, Charles Gregory wrote: On Sun, 14 Jun 2009, Res wrote: > Though now its Sunday, I have socialising to do, and none of that > includes sitting on mailing lists listening to cry babies who expect > people involved in OSSP's to drop everyth

Re: [sa] Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Charles Gregory wrote: On Sun, 14 Jun 2009, Res wrote: Though now its Sunday, I have socialising to do, and none of that includes sitting on mailing lists listening to cry babies who expect people involved in OSSP's to drop everything and be their servants. So we'll just

Re: [sa] Re: BOTNET timeouts?

On Sat, 13 Jun 2009, John Hardin wrote: On Sun, 14 Jun 2009, Res wrote: It's the weekend and I was bored :) This list does not exist to provide you amusement. Last time I looked, Justin ran this list, not you. -- Res -Beware of programmers who carry screwdrivers

Re: [sa] Re: Botnet spam not being caught

On Sun, 14 Jun 2009, John Hardin wrote: header MSGIDIP Message-Id =~ /\...@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/ Refine that just a tiny bit: header MSGIDIP Message-Id =~ /\...@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/ LOL! Busted! I was being lazy! - C

Re: Botnet spam not being caught

On Sun, 14 Jun 2009, Charles Gregory wrote: On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they al

Re: Botnet spam not being caught

On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MY

Re: Botnet spam not being caught

On Søn, Juni 14, 2009 03:10, MySQL Student wrote: > Home | Contact Us | Privacy Policy | Terms of Use | Unsubscribe | this is spammy line, with often faked domains (content looks like micro$oft) but url is not there domain > Where can I go from here? sa-learn --spam < msg and or make a rule f

Re: Botnet spam not being caught

On 13-Jun-2009, at 19:56, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MYMSGIPMessage-ID =~ /78.97.185

Re: Botnet spam not being caught

On Sat, Jun 13, 2009 at 18:56, MySQL Student wrote: > > I also see BOTNET_NORDNS in Botnet.cf, but it isn't being triggered. It's > also weighted at 0.0. Is there a reason for this? There's two ways to use Botnet: 1) one big rule (BOTNET) that rolls up all of the sub-rule scores. 2) triggering

Re: Botnet spam not being caught

On Sat, Jun 13, 2009 at 18:47, MySQL Student wrote: > Hi John, > >> Botnet seems to have caught that just fine (it's listed in the rules >> which were triggered).  The problem is either that you're running it >> at a lower score (which you could also do for Botnet0.8 if you wanted >> to upgrade --

Re: Botnet spam not being caught

Hi Charles, Received: from [78.97.185.89] (unknown [78.97.185.89]) >> Message-ID: >> > > Do they all have message ID's that include the IP? Yeah, great, it looks like they all do. Would something like this work? header MYMSGIPMessage-ID =~ /78.97.185.89/ score MYMSGIP0.3 desc

Re: Botnet spam not being caught

Hi John, Botnet seems to have caught that just fine (it's listed in the rules > which were triggered). The problem is either that you're running it > at a lower score (which you could also do for Botnet0.8 if you wanted > to upgrade -- their default scores are exactly the same), or you need > oth

Re: Botnet spam not being caught

On Sat, 13 Jun 2009, MySQL Student wrote: Received: from [78.97.185.89] (unknown [78.97.185.89]) Message-ID: Do they all have message ID's that include the IP? You could score that 0.3 or so to help push it over the line. Also give a bit mroe score to the RDNS rules You also might want

Re: Botnet spam not being caught

Botnet seems to have caught that just fine (it's listed in the rules which were triggered). The problem is either that you're running it at a lower score (which you could also do for Botnet0.8 if you wanted to upgrade -- their default scores are exactly the same), or you need other rules/configs t

Re: BOTNET timeouts?

On 13-Jun-2009, at 18:21, John Hardin wrote: On Sun, 14 Jun 2009, Res wrote: It's the weekend and I was bored :) This list does not exist to provide you amusement. Are you sure about that? -- I gotta straighten my face This mellow-thighed chick just put my spine out of place

Re: [sa] Re: BOTNET timeouts?

On Sun, 14 Jun 2009, Res wrote: Though now its Sunday, I have socialising to do, and none of that includes sitting on mailing lists listening to cry babies who expect people involved in OSSP's to drop everything and be their servants. So we'll just all pretend you didn't send this message.

Re: [sa] Re: BOTNET timeouts?

On Sun, 14 Jun 2009, Res wrote: It's the weekend and I was bored :) This list does not exist to provide you amusement. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4

Re: BOTNET timeouts?

Truth still hurts hey, one day you might smell the coffee :) On Sat, 13 Jun, Bill Landry as usual sooked nothing worth reading: -- Res -Beware of programmers who carry screwdrivers

Re: [sa] Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Charles Gregory wrote: I'm always amused by the hyporcrisy of people who spend paragraphs of text explaining that the person they are addressing is 'not worth their time'. It's the weekend and I was bored :) Though now its Sunday, I have socialising to do, and none of tha

Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Res wrote: On Thu, 11 Jun 2009, Bill Landry wrote: How long have you been on this list? A lot longer than you might think, I don't say much here, ... we give up our lives and work JUST to satisfy something you want, it will never happen turdbreath, get used to it, if

Re: [sa] Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Res wrote: my life comes before no-life whinging fucking cry baby lamers like you. I'm always amused by the hyporcrisy of people who spend paragraphs of text explaining that the person they are addressing is 'not worth their time'. - C

Re: BOTNET timeouts?

Res wrote: > On Sat, 13 Jun 2009, Bill Landry wrote: > >> I just love these kinds of responses (talk about 5yo tantrums), as they >> only server to prove my point about your credibility and the value of >> your opinions. Thank you! :-) > > truth hurts dont it landry, just like i tell those who

Re: BOTNET timeouts?

Benny Pedersen wrote: > On Sat, June 13, 2009 14:31, Bill Landry wrote: >> However, if >> you are willing to release something to the open source community, you >> should also be willing to take on the responsibility of providing >> ongoing support for it. > > who says that ?, i have maybe missund

Re: BOTNET timeouts?

On Sat, June 13, 2009 14:31, Bill Landry wrote: > However, if > you are willing to release something to the open source community, you > should also be willing to take on the responsibility of providing > ongoing support for it. who says that ?, i have maybe missunderstod gpl licenses ?, its far

Re: BOTNET timeouts?

John Rudd wrote: > Further, Bill, I don't answer to you for my time constraints. Now > quit your whining and put your money where your mouth is. If it's so > important, then provide a fix that replaces Net::DNS with SA's > internal DNS routines, and I'll use it. If it's not important enough > t

Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Bill Landry wrote: I just love these kinds of responses (talk about 5yo tantrums), as they only server to prove my point about your credibility and the value of your opinions. Thank you! :-) truth hurts dont it landry, just like i tell those who "demand" extra capabilit

Re: BOTNET timeouts?

On Sat, 13 Jun 2009, Bill Landry wrote: Res wrote: No because I seem to have reliable DNS and have never exhibited the issue. Oh, and if in fact you "really" had a clue, you would know that "DNS reliability" has absolutely nothing to do with this issue... ;-) funny, given most people dont

Re: BOTNET timeouts?

Res wrote: > No because I seem to have reliable DNS and have never exhibited the issue. Oh, and if in fact you "really" had a clue, you would know that "DNS reliability" has absolutely nothing to do with this issue... ;-) Bill

Re: BOTNET timeouts?

I just love these kinds of responses (talk about 5yo tantrums), as they only server to prove my point about your credibility and the value of your opinions. Thank you! :-) Bill Res wrote: > On Thu, 11 Jun 2009, Bill Landry wrote: > >>> I'm sure John might be happier to stay awake later and wor

Re: BOTNET timeouts?

On Thu, 11 Jun 2009, Bill Landry wrote: I'm sure John might be happier to stay awake later and work on it for a hour or so each night as a 'priority' *IF* Bill was willing to pay John for his time, but I suspect not somehow, as it is far easier to come on a mailing list and have a temper tantru

Re: BOTNET timeouts?

On Fri, 12 Jun 2009, LuKreme wrote: So if I may recommend: Why not include the patch as a separate file in your download, John explained why. This patch does not represent the direction he wants to go with Botnet. Remember that comment about design philosophy? When he GOES in that direction, t

Re: BOTNET timeouts?

On Fri, Jun 12, 2009 at 07:39:58PM -0600, LuKreme wrote: > >> But I would never guess from the package that a patch was available >> or >> useful. > > It is useful for SOME people under SOME conditions. It is not > *universally* useful. It's not universally useful to have some *basic* sanit

Re: BOTNET timeouts?

On 11-Jun-2009, at 13:45, Charles Gregory wrote: 2) I disagree that another person could/should 'fork' the botnet plug-in. This would cause confusion even if care was taken to rename the plug-in or otherwise distinguish the two versions for the newbie looking to download a recommended p

Re: BOTNET timeouts?

>> This issue has been unresolved for way too long. All of this, in my >> mind, this makes the plugin orphaned and unusable if not patched with >> Mark's patch. > > Actually it's a patch by Daniel J McDonald from 2007-06-15. > I just refreshed it for 0.8 and reposted it two months later. > Credits

Re: BOTNET timeouts?

> This issue has been unresolved for way too long. All of this, in my > mind, this makes the plugin orphaned and unusable if not patched with > Mark's patch. Actually it's a patch by Daniel J McDonald from 2007-06-15. I just refreshed it for 0.8 and reposted it two months later. Credits where cre

Re: BOTNET timeouts?

>> Well I suppose you could always take the product that you dislike so >> badly back to the store and ask for a refund of your purchase price. >> Sometimes it really amazes me how much, and how severely, some people >> will gripe about free products that exist only because other people >> volunte

Re: BOTNET timeouts?

On Thu, 11 Jun 2009, Kevin Parris wrote: Well I suppose you could always take the product that you dislike so badly back to the store and ask for a refund of your purchase price. Sometimes it really amazes me how much, and how severely, some people will gripe about free products that exist o

Re: BOTNET timeouts?

John Hardin wrote ... (6/11/2009 4:21 PM): > On Thu, 11 Jun 2009, John Rudd wrote: > >> As I've said, I don't really have a plan to incorporate the patch >> into the main dist. > > You probably should. It doesn't prevent you from pursuing your design > changes, and it would fix the problem for thos

  1   2   3   4   >