Though BotNet is VERY effective in catching SPAM, the default score of 5 is way too high IMHO.
With a well trained BAYES, using a selected list of RBLs and URIBLs for scoring, the SARE rules, and some custom rules of my own I am confident that I am catching well over 90% of the SPAM hitting my server (about 5000 emails received a week), with almost no false positives. Based on this I set BotNet to score 0.001 for all its rules (so as not to confuse the issue), and after a week examined its effectiveness using sa-stats.pl... If detected 91.7% of SPAM which is FANTASTIC! But is also fired on 9.6% of my HAM emails which is not so good :( Normally if a rule gets this higher FP then I would discard it, but given the amount of SPAM is catches I have left it running but set to only add 1 to the scores of the emails it detects (as this will not be enough to greatly affect the scores of the false positive ham emails it hits) and in this fashon it helps to up-score my SPAM enough to push it over my BAYES training threshold and my Delete threshold. One other benefit of BotNet is that it includes some rules which can be used to down-score some genuine commerical emails and emails sent through an ISPs mail servers. My scores for BotNet are as follows: score BOTNET 1.000 score BOTNET_CLIENT 0.100 score BOTNET_CLIENTWORDS 0.100 score BOTNET_IPINHOSTNAME 0.500 score BOTNET_SOHO -0.100 score BOTNET_SERVERWORDS -0.500 Other things you should look at are upgrading to SA 3.2.1 as this includes URIBL_BLACK by default (another very effective rule), and possibly using the SAGREY plugin (which uses the auto white list feature to see if an email is the first one you have had from an address, and in this case if it looks to be SPAM it adds a bit more to its score!). Obviously your mileage may vary! Oliver Matt-123 wrote: > > I have added botnet to my Spamassassin install. It seems to have > helped quite a bit so far. I am just wandering about the 5 points it > gives for a hit. Is that too much? Does it have alot of false > positives or not? > > Matt > > -- View this message in context: http://www.nabble.com/Botnet-Score-tf3971206.html#a11276655 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
