On Tue, 09 May 2017 09:10:37 -0500
Chris wrote:
> Last night I changed the Botnet score to 1.0 and restarted SA however
> I see above that it still gave it a '5'.
>
> describe BOTNET Relay might be a spambot
> or virusbot
> headerBOTNET eva
On Mon, 8 May 2017 18:44:41 -0500 (CDT)
David B Funk wrote:
> Years ago I dropped the default Botnet score (5.0) way down because
> of FPs like this.
The monolithic BOTNET rule is doing something analogous
to (RDNS_DYNAMIC || NO_RDNS).
I don't use that, I bring out the individual BOTNET subrule
On Tue, 2017-05-09 at 13:30 +0100, RW wrote:
> On Mon, 08 May 2017 19:59:06 -0500
> Chris wrote:
>
>
> >
> > I guess this rule hit is something that can't be avoided. I guess I
> > could lower the score but then that would defeat the purpose of the
> > rule.
> >
> > 5.5 KAM_STOCKTIP E
On Tue, 2017-05-09 at 12:28 +, David Jones wrote:
> >
> > From: David B Funk
>
> >
> > >
> > > On Mon, 8 May 2017, Chris wrote:
> > >
> >
> > I'd be concerned with what caused the DKIM signature to fail
> > validation.
> > (DKIM_SIGNED, T_DKIM_INVALID).
> > If something in the mail c
On Mon, 2017-05-08 at 20:54 -0500, David B Funk wrote:
> On Mon, 8 May 2017, Chris wrote:
>
> >>> whitelist_auth *@*.us-cert.gov us-cert.gov
> >> This should be:
> >>
> >> whitelist_auth *@*.us-cert.gov
> >>
> > I don't know why I keep putting the second entry in my 'my-
> > whitelist.cf' file. I
On Tue, 9 May 2017 12:28:13 +
David Jones wrote:
> Chris, how are you launching SA on your mail server? It looks like
> the body has been altered to add a warning at the top with a "Content
> preview:".
>
That what you get if you set report_safe non-zero.
On Mon, 08 May 2017 19:59:06 -0500
Chris wrote:
> I guess this rule hit is something that can't be avoided. I guess I
> could lower the score but then that would defeat the purpose of the
> rule.
>
> 5.5 KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
I ran it through the KAM rules
>From: David B Funk
>> On Mon, 8 May 2017, Chris wrote:
>>
>I'd be concerned with what caused the DKIM signature to fail validation.
>(DKIM_SIGNED, T_DKIM_INVALID).
>If something in the mail chain is breaking DKIM validation then attempts to
>use
>things like whitelist_auth are doomed to f
On Mon, 8 May 2017, Chris wrote:
whitelist_auth *@*.us-cert.gov us-cert.gov
This should be:
whitelist_auth *@*.us-cert.gov
I don't know why I keep putting the second entry in my 'my-
whitelist.cf' file. I must have read it or something a long, long time
ago in order to be doing this.
Poss
On Tue, 2017-05-09 at 01:13 +, David Jones wrote:
> >
> > From: Chris
>
> >
> > David and others, thank you for the replies. I've lowered the score
> > for
> > Botnet down to 1.0, may go lower if it continues to cause problems
> > or
> > just get rid of it. I've added this to my whiteli
>From: Chris
>David and others, thank you for the replies. I've lowered the score for
>Botnet down to 1.0, may go lower if it continues to cause problems or
>just get rid of it. I've added this to my whitelist.cf:
>whitelist_auth *@*.us-cert.gov us-cert.gov
This should be:
whitelist_auth *
On Mon, 2017-05-08 at 18:44 -0500, David B Funk wrote:
> On Mon, 8 May 2017, John Hardin wrote:
>
> > On Mon, 8 May 2017, Chris wrote:
> >
> >> I get various posts from US-CERT none so far have been tagged as
> spam
> >> until today. The raw message with the SA tags is here - https://pa
> stebi
>
On Mon, 8 May 2017, John Hardin wrote:
On Mon, 8 May 2017, Chris wrote:
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
>From: John Hardin
>On Mon, 8 May 2017, Chris wrote:
>> I get various posts from US-CERT none so far have been tagged as spam
>> until today. The raw message with the SA tags is here - https://pastebi
>> n.com/f71A2FfW What it hit on was:
>>
>> pts rule name description
>>
On Mon, 8 May 2017, John Hardin wrote:
I'd suggest whitelist_from_auth might help more.
gack. That should be "whitelist_auth", of course...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0x
On Mon, 8 May 2017, Chris wrote:
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
-- --
From: Chris
>I get various posts from US-CERT none so far have been tagged as spam
>until today. The raw message with the SA tags is here - https://pastebi
>n.com/f71A2FfW What it hit on was:
>I've added the address us-c...@ncas.us-cert.gov to the AWL and reran
>the message through SA which
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
-- -
-
-0
18 matches
Mail list logo
