On Tue, 28 Nov 2006, Mark Martinec wrote:
Loren Wilton wrote:
Other than the fact I tend to agree with its conclusions by looking at
those hostnames, I suppose it means that the plugin needs some special case
exceptions for ebay, paypal, and amazon.
Right, too many false positives here as well.
Maybe it will need to run after domainkeys (if that is running) to help
verify that the paypal/ebay path isn't too obviously spoofed. (Although
that check can be done fairly well simply with a regex.)
Indeed. Also coupling it with p0f (passive operating system fingerprinting)
matching on non-unix hosts seems to bring up the best of both approaches:
meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && (L_P0F_WXP ||
L_P0F_W || L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_W 3.2
meta BOTNET_OTHER !BOTNET_W &&
(BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_OTHER 0.5
About p0f see:
http://marc.theaimsgroup.com/?l=amavis-user&m=116439276912418
http://marc.theaimsgroup.com/?l=amavis-user&m=116440910822408
Here is the link to the p0f SA plugin, I am running on my production
server, seems working well.
Caution: It does tag email from hotmail :)
http://www.vcn.bc.ca/~vli/P0f.pm
Thank Mark for the inspiration!
Mark
Vincent Li http://pingpongit.homelinux.com
Opensource .Implementation. .Consulting.
Platform .Fedora. .Debian. .Mac OS X.
Blog http://bl0g.blogdns.com
