Martin,
> - p0f. How well does it work? Is it very effective?
It is helpful, but score most not be too aggressive,
as there are some companies running their MTA on windows.
Here are my current rules:
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/
score L_P0F_WXP 2.3
header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/
score L_P0F_W 1.3
header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/
score L_P0F_UNKN 0.8
header L_P0F_Unix X-Amavis-OS-Fingerprint =~
/^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64|AIX)/
score L_P0F_Unix -1.0
header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/
score L_P0F_Linux -0.1
I also do a small negative score for nearby hosts (IP hops),
but this is probably specific to our network topology and
the country I live in.
I find p0f to be most valuable in preventing BOTNET plugin false positives.
If p0f says the client is Unix/Linux, I never trust BOTNET rules.
It saved our butt on a number of occasions.
meta BOTNET_W !DKIM_VERIFIED && (L_P0F_WXP || L_P0F_W) && BOTNET
score BOTNET_W 2.8
meta BOTNET_WU !DKIM_VERIFIED && L_P0F_UNKN && BOTNET
score BOTNET_WU 2.0
score BOTNET 0.1
meta BOTNET_OTHER !BOTNET_W && !BOTNET_WU && BOTNET
score BOTNET_OTHER 0.5
Tamed by p0f info, the BOTNET plugin becomes reliable and useful.
> - FuzzyOCR. We are seeing quite an increase in image-spam and would like
> to add an ocr scanner. It's been around for a while, but I've come to
> understand that it has been a bit troublesome in the past. Anyone with
> experience? Is it very CPU intense?
It is quite CPU intensive. Its caching mechanism can become very slow
when a database grows large, so it is more predictable to run it with
its caching disabled, or reset the database every once in a while.
Its default scores are much too aggressive and need to be adjusted
(focr_base_score halved, focr_corrupt_score, focr_corrupt_unfixable_score
lowered).
I also like to put a high cap on a score returned:
--- FuzzyOcr.pm.ori Sun Jan 7 13:05:08 2007
+++ FuzzyOcr.pm Tue Jan 9 15:09:24 2007
@@ -927,4 +927,5 @@
infolog($debuginfo) unless ($conf->{focr_enable_image_hashing} ==
3);
}
+ $score = 5 if $score > 5; # !!! clip the score
for my $set ( 0 .. 3 ) {
$pms->{conf}->{scoreset}->[$set]->{"FUZZY_OCR"} = $score;
Other than that, it is very useful!
> - Razor2. We are using DCC today, and it works well. Is it worth adding
> razor2? Or switch to Razor2 instead of DCC perhaps?
Use both.
(but not pyzor)
Mark
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
