On Sunday June 24 2007 19:30:32 OliverScott wrote: > Though BotNet is VERY effective in catching SPAM, the default score of 5 is > way too high IMHO.
I fully agree, 5 is way too high. > With a well trained BAYES, using a selected list of RBLs and URIBLs for > scoring, the SARE rules, and some custom rules of my own I am confident > that I am catching well over 90% of the SPAM hitting my server (about 5000 > emails received a week), with almost no false positives. > > Based on this I set BotNet to score 0.001 for all its rules (so as not to > confuse the issue), and after a week examined its effectiveness using > sa-stats.pl... > > If detected 91.7% of SPAM which is FANTASTIC! > > But is also fired on 9.6% of my HAM emails which is not so good :( > > Normally if a rule gets this higher FP then I would discard it, but given > the amount of SPAM is catches I have left it running but set to only add 1 > to the scores of the emails it detects The accuracy of botnet can be greatly enhanced it is when tamed down by p0f results (passive operating system fingerprinting). I allow botnet to contribute 2.8 points when the source is a Windows computer, 2.0 points for unclassified host, but only 0.5 points for the rest (i.e. mostly Linux and Unix sending hosts). My actual rules are: meta BOTNET_W !DKIM_VERIFIED && (L_P0F_WXP || L_P0F_W) && BOTNET score BOTNET_W 2.8 meta BOTNET_WU !DKIM_VERIFIED && L_P0F_UNKN && BOTNET score BOTNET_WU 2.0 score BOTNET 0.1 meta BOTNET_OTHER !BOTNET_W && !BOTNET_WU && BOTNET score BOTNET_OTHER 0.5 header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/ header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/ header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64|AIX)/ header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/ score L_P0F_WXP 2.3 score L_P0F_W 1.3 score L_P0F_UNKN 0.8 score L_P0F_Unix -1.0 score L_P0F_Linux -0.1 The X-Amavis-OS-Fingerprint header field can be inserted by p0f+p0fanalyzer+amavisd (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li (which I haven't had a chance to try yet, but was announced at: http://marc.info/?l=amavis-user&m=118169490428464 ) Mark
