Loren Wilton wrote: > Other than the fact I tend to agree with its conclusions by looking at > those hostnames, I suppose it means that the plugin needs some special case > exceptions for ebay, paypal, and amazon.
Right, too many false positives here as well. > Maybe it will need to run after domainkeys (if that is running) to help > verify that the paypal/ebay path isn't too obviously spoofed. (Although > that check can be done fairly well simply with a regex.) Indeed. Also coupling it with p0f (passive operating system fingerprinting) matching on non-unix hosts seems to bring up the best of both approaches: meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && (L_P0F_WXP || L_P0F_W || L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0 score BOTNET_W 3.2 meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0 score BOTNET_OTHER 0.5 About p0f see: http://marc.theaimsgroup.com/?l=amavis-user&m=116439276912418 http://marc.theaimsgroup.com/?l=amavis-user&m=116440910822408 Mark
