On Wed, 19 May 2010, Mark Martinec wrote:
> Andy, > > > Are the sample rules in the release notes still the preferred p0f ruleset > > for SA? > > Yes, still valid. It's pretty much what I'm using at our site. > > The IP distance (hop count) rules may need tweaking if your site > is close to poorly policed ISPs, but it works well in our academic > networks topology. I didn't add those...I'm thinking about adding them with a .001 score so I can run some analysis on the rules effectiveness with our traffic. We're pretty well connected, our datacenter has both Level3 fiber and transit via Washington DC and Verizon fiber to Equinix Ashburn...so, I would tend to guess that spam and legit mail would range in a similar number of hops. We could be very close to spam, and relatively far from ham. That's just an assumption though. However, I have to think it would help with the international spam so I've been pondering it...instead of giving bonuses to closer hosts, penalize more distant hosts. > The BOTNET* rules may need replacing an old DKIM_VERIFIED rule with > a DKIM_VALID, reflecting the change of a rule name with SpamAssassin 3.3.0. > > Does anybody have any comments or experiences? We're in the process of > > upgrading amavisd-new, and want to take this opportunity to utilize this > > additional tool. > > Every little bit helps in fighting spam. P0f is quite effective > in distinguishing Windows-based botnets from the rest. It is also > quite useful with reducing numerous false positives of a Botnet > plugin, if using it. I rolled out the new mail cluster, and p0f is definitely a nice addition. Everybody is happy with the improvements in filtering. However, the stats reported by amavisd-agent seem very low compared to the logs. Here's one server...FreeBSD, so it's fresh logfiles at midnight. At roughly 7 AM: mail-out01# grep L_P0F_WXP /var/log/maillog | wc -l 1419 mail-out01# grep L_P0F /var/log/maillog | wc -l 20833 Amavisd has been running for longer than the logfile: sysUpTime TimeTicks 5913549 (0 days, 16:25:35.49) But we get: virus.byOS.Windows-2000 228 14/h 71.2 % virus.byOS.Windows-XP/2000 47 3/h 14.7 % virus.byOS.UNKNOWN 33 2/h 10.3 % virus.byOS.Windows-XP 7 0/h 2.2 % virus.byOS.Linux 4 0/h 1.2 % spam.byOS.Windows-2003 134 8/h 0.3 % spam.byOS.Linux 134 8/h 0.3 % spam.byOS.Windows-2000 102 6/h 0.3 % spam.byOS.UNKNOWN 35 2/h 0.1 % spam.byOS.Solaris 17 1/h 0.0 % spam.byOS.Windows-XP/2000 10 1/h 0.0 % spam.byOS.Windows-SP3 5 0/h 0.0 % spam.byOS.Windows-98 5 0/h 0.0 % spam.byOS.FreeBSD 4 0/h 0.0 % spam.byOS.Windows-XP 4 0/h 0.0 % spam.byOS.Windows-95 4 0/h 0.0 % spam.byOS.Novell 3 0/h 0.0 % spam.byOS.NetBSD 2 0/h 0.0 % ham.byOS.Linux 799 49/h 25.5 % ham.byOS.UNKNOWN 439 27/h 14.0 % ham.byOS.Windows-2000 300 18/h 9.6 % ham.byOS.FreeBSD 137 8/h 4.4 % ham.byOS.Solaris 86 5/h 2.7 % ham.byOS.Windows-XP 33 2/h 1.1 % ham.byOS.Windows-XP/2000 21 1/h 0.7 % ham.byOS.Google 9 1/h 0.3 % ham.byOS.Windows-98 8 0/h 0.3 % ham.byOS.Windows-2003 5 0/h 0.2 % ham.byOS.Novell 2 0/h 0.1 % ham.byOS.MacOS 1 0/h 0.0 % Is there something I'm missing? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org