On Thu, 21 Dec 2006, John Rudd wrote: > > 1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From, > > Return-Path, or From, in that order) mail domain (the part after the @ > > sign) resolves back to the relay's IP address, or has an MX host which > > resolves back to the IP address, AND the sender's mail domain does NOT > > match the PTR record for the relay, then we'll assume this is a "small > > office/home office" mail server. We'll exempt them from BOTNET being > > triggered. (note: someone suggested that this check also try to resolve > > the HELO string, I make a note in my code as to why this is an extremely > > bad idea, and have a commented out block of code there for anyone who > > wants to go down that path ... but, really, don't)
This rule seems to be working well. It has already "hit" on a few valid emails from legitimate sources, which is helpful. :) > > 8) The file Botnet.variations.txt exists now with different suggested > > alternative ways to do Botnet rules. Thanks for this. We have to use the meta method to have BOTNET not trigger when other rules hit to avoid collateral damage on certain types of emails. > > I think that's everything... Been running for a few hours, looks to be doing well. A few little things: 1. This line was not commented: botnet_pass_ip ^128\.223\.98\.16$ # dynamic.uoregon.edu Is this a specific one that is commonly mis-tagged? 2. Have you considered lowering the default score shipped with the .cf file to something less drastic than 5? We currently have it set at 1.9 and that works well. Just a suggestion as BOTNET still tends to hit on 2-7% of HAM across all of our servers. A sampling of BOTNET stats across a variety of servers: --- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 BOTNET 6969 73.84 85.84 9.05 1 BOTNET 5418 64.34 79.59 11.59 1 BOTNET 3260 57.84 81.56 5.42 3 BOTNET 3471 52.59 70.38 9.28 1 BOTNET 9388 75.18 89.38 6.71 1 BOTNET 4307 63.21 80.75 8.99 1 BOTNET 4085 64.54 84.82 7.37 3 BOTNET 4064 53.37 74.46 5.86 1 BOTNET 6108 64.40 82.32 6.72 1 BOTNET 4059 73.83 79.03 70.11 1 BOTNET 3520 65.28 85.85 7.89 1 BOTNET 1490 48.61 81.33 4.95 1 BOTNET 4784 59.83 78.30 13.05 1 BOTNET 1063 49.67 82.92 7.60 4 BOTNET 1901 55.68 73.54 7.33 1 BOTNET 2619 58.09 89.39 5.97 3 BOTNET 3356 57.82 70.59 17.00 --- Rob
