On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
> --- Botnet.pm.ori 2007-08-06 03:53:55.0 +0200
> +++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100
> @@ -703,4 +703,6 @@
> my ($resolver, $query, $rr, $i, @a);
>
> + return 1 if defined $ip && $ip =~ /:/; # does not handle IPv6
On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
> Nertheless, out of necessity, here is a quick hack to prevent
> Botnet FPs on IPv6 connections (that came with a bunch of
> emitted warnings that accompanied each such mail message).
Thank you very much for your IPv6 patch. I've seen the problem m
> On 1/5/2011 5:11 PM, Mark Martinec wrote:
> > Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection,
> > regardless of its rDNS. If someone is interested in a quick hack
> > patch, I can post it.
>
> Mark, please do post the patch. It's good to see that someone is
> supporting t
On 6.1.2011 15:42, Henrik K wrote:
> On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
>> On 6.1.2011 0:10, Lawrence @ Rogers wrote:
>>>
>>> I would remove the p0f and botnet rules if I were you. That would solve
>>> your problem.
>>>
>>
>> I find BOTNET an excellent addition to my
On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
> On 6.1.2011 0:10, Lawrence @ Rogers wrote:
> >
> > I would remove the p0f and botnet rules if I were you. That would solve
> > your problem.
> >
>
> I find BOTNET an excellent addition to my SA.
Of course it is, most spam is fr
On 6.1.2011 0:10, Lawrence @ Rogers wrote:
>
> I would remove the p0f and botnet rules if I were you. That would solve
> your problem.
>
I find BOTNET an excellent addition to my SA.
TOP SPAM RULES FIRED
--
RANKRULE NAME
On ons 05 jan 2011 23:10:41 CET, "Lawrence @ Rogers" wrote
I would remove the p0f and botnet rules if I were you. That would
solve your problem.
it will not solve it for others unless reverse dns is solved aswell
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
On ons 05 jan 2011 22:52:41 CET, Michael Monnerie wrote
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores shou
On 1/5/2011 5:11 PM, Mark Martinec wrote:
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring p0f in combination with BOTNET differently,
On 05/01/2011 8:38 PM, RW wrote:
Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero.
Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f
in a metarule. However, you might want to look into this inconsistency:
You are right about the overlapping and one rule
On Wed, 05 Jan 2011 18:40:41 -0330
"Lawrence @ Rogers" wrote:
> I would suspect that you are using non-standard rules. What's most
> concerning is the old p0f rules that are looking for Windows XP. That
> is dangerous and a bad thing to use as a rule (the OS of the sender).
Aside from BOTNET_W
On 05/01/2011 6:22 PM, Michael Monnerie wrote:
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores sh
On 1/5/11 4:52 PM, Michael Monnerie wrote:
server88-208-245-26.live-
servers.net
botnet is NOT an stock SA rule
plus, look at the silly DYNAMIC RULE LOOKING rdns.
fix rdns.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
*
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores should I tune to optimize?
-- Forwarde
The problem was multiline rules with rawbody. Changing it
to full and things work. (I missed that little detail in
the wiki, and there are body rules in the dist that have /is)
A rule in-between rawbody/full? I.e. the whole body, but not the
headers? Or even better, in addition to that, p
Because your first option matches the style inside the brackets
and
your second option does take into account the forward slash
before style?
Todd
Michael Dilworth wrote:
OK, it's late and I'm tired, and this will probably
end up being stupid regex issue, but:
why does...
rawbody STYLE_IN_B
On Sat, 27 Feb 2010, Michael Dilworth wrote:
garbage...
If you're looking for nonsense STYLE content, take a look in my sandbox.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79
Michael Dilworth wrote on Sat, 27 Feb 2010 18:45:20 -0800:
> rawbody STYLE_IN_BODY /\.*\/si not match?
because the HTML doesn't contain "
OK, it's late and I'm tired, and this will probably
end up being stupid regex issue, but:
why does...
rawbody STYLE_IN_BODY /\.*style/si match
and:
rawbody STYLE_IN_BODY /\.*\/si not match?
given a message body:
>>
...
...
garbage...
...
<
On Sun, 13 Sep 2009, Rajesh M wrote:
Please keep the discussion on-list.
i use qmail toaster
I'm not familiar with qmail. If it implements the milter interface, then
using milter-regex as I suggested would be an option. Perhaps a qmail
admin will suggest something using qmail's native capab
On Sun, 13 Sep 2009, Rajesh M wrote:
i sometimes get spam with both the sender id and recipient id as the
same. Obviously such emails are originating outside my server.
I DO NOT wish to user SPF
Why not, if I may ask? Publishing an SPF record seems to cut down on how
much your domain is use
hello all
I use qmail toaster with spamassassin -- latest version
i sometimes get spam with both the sender id and recipient id as the same.
Obviously such emails are originating outside my server.
I DO NOT wish to user SPF
what i need to do is as follows
1) get the source ip of the email in a
Hi,
I have done it through sa-update chanels[1], and done spamd reload
regards,
a.Johnson
On Fri, Mar 7, 2008 at 1:28 PM, Daryl C. W. O'Shea
<[EMAIL PROTECTED]> wrote:
> On 07/03/2008 2:39 AM, Johnson Jeba Asir wrote:
> > I am running Suse 10 with Postfix and spamassassin, I have updated
> >
On 07/03/2008 2:39 AM, Johnson Jeba Asir wrote:
> I am running Suse 10 with Postfix and spamassassin, I have updated
> rules from http://updates.sa-update.com/sare/* to
> /var/lib/spamassassin/3.001003/
> Should I place the downloaded rules to some whare? or do i need to
> configure postfix?
"P
On 07.03.08 13:09, Johnson Jeba Asir wrote:
> I am running Suse 10 with Postfix and spamassassin, I have updated
> rules from http://updates.sa-update.com/sare/* to
> /var/lib/spamassassin/3.001003/
upgrade to latest version.
> My problem as follows :
> I got a SPAM mail, and spam score was 3.5
Dear all,
I am running Suse 10 with Postfix and spamassassin, I have updated
rules from http://updates.sa-update.com/sare/* to
/var/lib/spamassassin/3.001003/
My problem as follows :
I got a SPAM mail, and spam score was 3.5. since the score was 3.5
the mail has been marked as not spam, I have
Try this (for replacing your the three meta rules):
metaRCVD_IN_LRBL_W (__RCVD_IN_LRBL_W && !__RCVD_IN_LRBL_B)
describeRCVD_IN_LRBL_W Local RBL Whitelist
tflags RCVD_IN_LRBL_W net
score RCVD_IN_LRBL_W -7
metaRC
D 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED]
- Original Message -
From: "UxBoD" <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org
Sent: Friday, August 3, 2007 8:26:50 AM (GMT) Europe/London
Su
Hi,
I have written the following ruleset for our local RBL server :-
header __RCVD_IN_LRBL
eval:check_rbl('LRBL','dnsrbl.local.com.')
tflags __RCVD_IN_LRBL net
header __RCVD_IN_LRBL_Beval:check_rbl_sub('LRBL', '127.0.0.2')
tflags __R
30 matches
Mail list logo
