On Fri, 2007-06-22 at 17:03 +0200, arni wrote: > Marc Perkel schrieb: > > > > That doesn't answer his question though. He didn't ask for your > > opinion about if he needed it. If the rules were working for him he > > wouldn't be asking for help. When someone asks a question telling > > them they don't need it is generally the wrong answer and a waste of > > time. > > > I was more trying to show him that installing the botnet plugin alone, > together with a decent bayes or 1 or 2 more rules already does the job > and instead of writing a new rule for each stock spam that comes out, > this will catch almost all of it (all of it in my case)
Well, bayes is very hard to implement on a mid-span spamassassin implementation (no feedback loop for missed spam or false ham). In my case, I use spamassassin under amavisd-new as a front-end filter, discard/quarantine the trash, then deliver to MS Exchange for end users to read. And I've been catching actual customers and vendors right-and-left with the botnet plugin. Too many false positives, even combining it with p0f, for me to feel very good about it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
