On Wed, 2009-11-25 at 10:53 -0800, R-Elists wrote: > > > > > I'm interested in people's opinion of UCEPROTECT. I'm aware > > of how it works, but even UCEPROTECT1 seems to catch an awful > > lot of ham, and I wondered if I was doing something wrong. > >
> > Alex, > > we use all 3 and adjust score accordingly... Ditto. of more interest to me was the ips.backscatterer list. I configured it like so: meta RCVD_IN_BACKSCATTER_RELAY (__BOUNCE_FROM_DAEMON && __RCVD_IN_BACKSCATTER) && ! __RCVD_IN_UCEWHITE tflags RCVD_IN_BACKSCATTER_RELAY net describe RCVD_IN_BACKSCATTER_RELAY received from a host that does a lot of backscatter score RCVD_IN_BACKSCATTER_RELAY 1.30 It's helped with some of the backscatter problems we were seeing. I also haven't been overly scientific about it, but I've not had any false-positive reports, and I recall at least one false-negative complaint where RCVD_IN_BACKSCATTER_RELAY had been triggered. (the total score was only about 4.6, IIRC). -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
