Botnet 0.4 Spam Assassin plugin

[John Rudd]

Did you add the address (as a regular expression) to the skip list with 
one of these lines:

botnet_skip_ip		^A\.B\.C\.D$

(where the machine's IP addr is A.B.C.D)

That would cause it to skip past that Received header (and if that's the 
last/oldest received header, then it will pass the message entirely).

Also, was it triggering on BOTNET_CLIENTWORDS or BOTNET_IPINHOSTNAME or 
both?  If it's only triggering BOTNET_CLIENTWORDS, then try seeing which 
of the client words its triggering, and remove that from the cf file. 
For example, if "dsl" is the only one of the clientwords its triggering 
on, then remove "dsl" form the botnet_clientwords setting.

Last, you could also set the score for BOTNET_CLIENT to 0.  This means 
you'll only be triggering the BOTNET score if the message has no rdns 
(BOTNET_NORDNS), or lacks full-circle dns (BOTNET_BADDNS).


The other thing I would ask is: What value do you set for 
deleting/rejecting (without human review) spam?  It seems to me that if 
you've set it lower than 10, that's an incredibly bad idea (even without 
botnet installed).  If you've set it higher than 10, then Botnet 
wouldn't be causing you to delete/reject anything that SpamAssassin 
didn't already think was spam.


For the question about the score: the score is intended to automatically 
cause the message to be quarantined/delivered-to-a-spam-folder.  That's 
why it's at 5: unless the message's score is otherwise negative, this is 
effectively flagged for "needs human review".  Even if you've set your 
high spam value to 10, it wouldn't apply high spam actions unless the 
message was already considered to be spam.  (for me, I reject messages, 
during SMTP, at an SA score of 10 ... so I only reject a message if it 
is otherwise considered spam AND a botnet ... or if it's REALLY bad 
spam; otherwise I deliver it ... I don't consider it a problem to have a 
false positive quarantined or delivered to my spam folder: that's what 
"delivery/quarantining of spam" is for)

Feel free to adjust the score to your tastes... but that's why I've set 
it where I set it.  I suppose one idea would be to set the score to be 
no more than "High Spam - Spam".



Wayne wrote:
> At 14:17 27/11/2006, you wrote:
> 
> Do not know if I am alone with this problem but I have had to remove 
> BOTNET as it was doing it's job too well - it was deleting all mail 
> which originated from genuine ADSL addresses I even tried adding these 
> addresses to white-lists and other files saying not to be read as spam - 
> they still were. If the problem of genuine use of adsl addresses can be 
> addressed I will try again.
> 
> - Wayne -
> 
> 
>> > > 12) The BOTNET rule is now worth 5 points, instead of 6.  It would be
>> > interesting to know what people have found as useful scores for the
>> > plugin.
>> >
>> > Too high, I wouldn't use anything above 2.5 and reason is I don't trust
>> > any one
>> > rule that much.
>>
>> I'm inclined to agree - the scores are too high for my tastes as 
>> well.  My threshold is 6 to be marked as spam; one rule which applies 
>> 5 directly is simply too dangerous to be useful.
>>
>> > >     i) do you want me to leave it as it is, or
>> > >    ii) put in the __ so that the sub-rules stop showing up in the
>> > >        final report?
>> >
>> > As long as there is a debug option, the long report should be 
>> limited for
>> > debug
>> > info and the short one for normal operation.
>> > --
>> > René Berber
>>
>> Definitely use the __ format, and provide a debug option to see the 
>> individually triggered rules on demand.
>>
>>
>> -- 
>>   _
>>  °v°  Daniel Maher
>> /(_)\ Administrateur Système Unix
>>  ^ ^  Unix System Administrator
>>
>> Sentio aliquos togatos contra me conspirare.
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>> -- 
>> This email has been scanned by the Balita server.
> 
>