On Fri, 22 Dec 2006, John Rudd wrote: > >>> 8) The file Botnet.variations.txt exists now with different suggested > >>> alternative ways to do Botnet rules. > > > > Thanks for this. We have to use the meta method to have BOTNET not trigger > > when other rules hit to avoid collateral damage on certain types of > > emails. > > What does the meta rule you're using look like?
meta BOTNET (!BOTNET_SOHO && (BOTNET_CLIENT || BOTNET_BADDNS || BOTNET_NORDNS) && !SERVERHOST_MATCH) SERVERHOST_MATCH is a custom rule we use. > > 2. Have you considered lowering the default score shipped with the .cf > > file to something less drastic than 5? We currently have it set at 1.9 and > > that works well. Just a suggestion as BOTNET still tends to hit on 2-7% of > > HAM across all of our servers. > > I want messages that get flagged to be quarantined/put in a spam folder > for review. So, that's why I picked that number, for use here. If > other people have a decent number that they find makes it pretty sure > that a spam message that otherwise scores 0 (because there are a lot of > them) but gets tagged by botnet, will still end up in my spam folder ... > I'm all ears :-) > > I would, for example, really rather fix the false positives, than lower > the score. ok, if you're using Botnet as a go/no-go filter, then 5 makes sense. But I'm of the mind that no one rule in SA should push a message over the limit by itself, so we're using it more as a sign of spammy-ness instead of a definite sign of spam. With all the broken reverse DNS mailservers and poorly named nameservers out there for legitimate email and many newsletters it seems, it's just too dangerous to mark it that high for our users. But giving it a high score of 1.9 for our purposes works well to catch the borderline spam and keep spam out of auto learning. :) Rob
