Re: Botnet 0.7 Plugin is available

Fri, 22 Dec 2006 03:34:38 -0800 

Rob Mangiafico wrote:

On Thu, 21 Dec 2006, John Rudd wrote:
1) BOTNET_SOHO -- If the sender's (chosen from Envelope-From, Return-Path, or From, in that order) mail domain (the part after the @ sign) resolves back to the relay's IP address, or has an MX host which resolves back to the IP address, AND the sender's mail domain does NOT match the PTR record for the relay, then we'll assume this is a "small office/home office" mail server. We'll exempt them from BOTNET being triggered. (note: someone suggested that this check also try to resolve the HELO string, I make a note in my code as to why this is an extremely bad idea, and have a commented out block of code there for anyone who wants to go down that path ... but, really, don't) 


This rule seems to be working well. It has already "hit" on a few valid 
emails from legitimate sources, which is helpful.  :)




8) The file Botnet.variations.txt exists now with different suggested 
alternative ways to do Botnet rules.



Thanks for this. We have to use the meta method to have BOTNET not trigger 
when other rules hit to avoid collateral damage on certain types of 
emails.


What does the meta rule you're using look like?



I think that's everything...


Been running for a few hours, looks to be doing well. A few little things:

1. This line was not commented:
botnet_pass_ip                 ^128\.223\.98\.16$ # dynamic.uoregon.edu

Is this a specific one that is commonly mis-tagged?



because it has "dynamic" in the hostname, it triggers the clientwords 
rule.  Yet, it is definitely not a botnet host.  So I just put it in the 
default file.  It's not intended to be commented out.




2. Have you considered lowering the default score shipped with the .cf 
file to something less drastic than 5? We currently have it set at 1.9 and 
that works well. Just a suggestion as BOTNET still tends to hit on 2-7% of 
HAM across all of our servers. 



I want messages that get flagged to be quarantined/put in a spam folder 
for review.  So, that's why I picked that number, for use here.  If 
other people have a decent number that they find makes it pretty sure 
that a spam message that otherwise scores 0 (because there are a lot of 
them) but gets tagged by botnet, will still end up in my spam folder ... 
I'm all ears :-)



I would, for example, really rather fix the false positives, than lower 
the score.
























					Reply via email to