Re: Need help running SA in a (comparative) anti-spam test
On 29-Nov-2009, at 04:59, Jonas Eckerman wrote: I'd assume that a big ISP using SA (and wants the best from SA install) would pay to use the better DNSBLs. I've found pretty much the opposite; the larger the ISP, the worse job they do filtering spam for their customers. The only exception is gmail which does a pretty decent job. Though my mailserver does a much better job. -- the nasty little sound of a sword being unsheathed right behind one at just the point when one thought one had disposed of one's enemies [...] It was that kind of laugh. --Equal Rites
Re: Need help running SA in a (comparative) anti-spam test
Martijn Grooten wrote: - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; This doesn't make any sense. You are comparing SA to commercial products that aren't free, and wich may use their providers own black lists or even include a volume license for third party lists, and yet you won't allow SA to use lists that aren't completely free? I'd assume that a big ISP using SA (and wants the best from SA install) would pay to use the better DNSBLs. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: Need help running SA in a (comparative) anti-spam test
On søn 29 nov 2009 12:59:32 CET, Jonas Eckerman wrote I'd assume that a big ISP using SA (and wants the best from SA install) would pay to use the better DNSBLs. ask recipient if a isp does a well good job of stopping spam to ones inbox, payed dnsbl or not :=) shared rbl listes is silly, since ip is also ham or atleast spam is not bound to ip only, thats why bayes track alot of parts in a mail to destingt it uribl is another better way to check spam, since its based on content not just a spamming / hamming ip spammers belive hey lets use a ip as hostname to bypass domain blacklists :) -- xpoint
Re: Need help running SA in a (comparative) anti-spam test
Martijn Grooten wrote: All, a few months back, there was a discussion on this list about the VBSpam comparative anti-spam tests[1], in which SpamAssassin performed significantly worse than many commercial products. Now I run these tests and I believe something was the matter with (the installation of) SA that made it perform so badly. For understandable reasons, none of the developers had time to help me set it up well for our test, so we decided to withdraw it for the time being. I am the official ports maintainer for the freebsd SA port, and I find that a default out of the box SA install (after its first 'sa-update') keeps about an 86% accuracy rate. (assuming a reasonable MTA setup that blocks DHA's, emails to unknown users, and counts the DHA's as email for 'total email' part of the accuracy tests) I say make sure you leave sa in its default configuration, and make sure SUSE isn't changeing the defaults. grab local.cf and the *.pre's from the SA distribution files instead of anything SUSE does (I know that the freebsd port does modify a couple of the defaults, mostly decisions on razor i think) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: Need help running SA in a (comparative) anti-spam test
Alex wrote: Hi, - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; Do the commercial vendors get to use publically-available DNSBLs like zen? It's not the commercial vendors who are using these DNSBLs it's the customers of their products who are the users. If so, and since they use them for commercial purposes, do they license its use in cases such as for this bake-off? The licensing isn't their problem. A commercial vendor can put in a hook to it's product to use Zen but that doesn't make that vendor liable if a user of it's product uses Zen against some sort of restriction by Zen against commercial use. Ted How does zen compare with the commercial DNSBLs that the commercial vendors have themselves and we don't have access to? Thanks, Alex
Need help running SA in a (comparative) anti-spam test
All, a few months back, there was a discussion on this list about the VBSpam comparative anti-spam tests[1], in which SpamAssassin performed significantly worse than many commercial products. Now I run these tests and I believe something was the matter with (the installation of) SA that made it perform so badly. For understandable reasons, none of the developers had time to help me set it up well for our test, so we decided to withdraw it for the time being. I would still love to have the product back in the test. The test is paid-for, but free for free, open source products and we made that decision because we really wanted to have SA and others in the test. Now some people offered on this list to help me and that is why I'm writing this email -- Justin is happy for the community to help me. If there are people who are willing to help me set up SA so that it runs in ideal circumstances for our test, could they reply to me off-list[2] at this address or, even better, at martijn.groo...@virusbtn.com. A couple of things: - the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise Server 11 and SA is run as a Qpsmtd-plugin; - from what is seems, all that SA was (and is) doing is doing some heuristic checks on the body of the email, which makes it catch about 50% of spam, with relatively many (several per cents) false positives; it checks every hour or so for updates, but these are rarely found; - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; - we don't white-list good senders (or blacklist bad ones) in any product, nor do we give 'feedback' to the products[4]; - I won't include SA in the test before the developers are happy with it being included: I know that some of the above rules might disproportionally disadvantage SA, so I would understand if they were to decide they wouldn't want it to be included. It is not in our intention to make SA look bad! Thanks. Martijn. [1] http://www.virusbtn.com/vbspam [2] but, because I hate people who post once and ask to be contacted off-list, I will keep checking the list too! [3] http://smtpd.develooper.com/ [4] we do give generic feedback to developers though: e.g. hey, you blocked a lot of newsletters, or you missed a lot of spam in Japanese. In the end of the day, the goal of our test is to make products better.
Re: Need help running SA in a (comparative) anti-spam test
Martijn, I may be missing something here but I went to your website and you use the terms malware and spam interchangeably. Now, it may be true that these days in the commercial realm that the antivirus vendors are all jumping into the anti-spam market to enhance revenue, but in reality, viruses are a subset of spam. It may be true that most commercial antispam products are in reality, full-meal-deal products that do both virus and spam filtering, but SpamAssassin is not, and was never intended to be. SA isn't going to guarantee to capture viruses, it doesn't even try to capture viruses. It tries to identify spam - and there's a lot more spam out there than virus-laden e-mail. When a mail message has a virus, or has a link to a virus, it's possible to make a black-and-white decision on that message. But it's not possible to make a black and white decision on spam. What's one man's spam is another man's ham. You have to run SA in conjunction with a virus scanner - probably the most common one people use is clamAV - for it to be any good as a full meal deal solution. Further, use of blacklists is a significant difference as well. These commercial full-meal-deal products your comparing have 5 possible components that could be present in them to filter spam (what is actually there is not known since commercial products don't disclose source): 1) a private blacklist run by the vendor that's checked for each message and distributed to each installation of product. 2) Access to free public blacklists that can also be used for checking. 3) A database of viruses in the product that's checked for each message. 4) some heuristic checks on the body of the email within the poduct. 5) Reporting back questionable, identified-as-possibly-spam-but-I -don't know for certain- e-mails to a master server for further analysis, or possible comparison to a known database of spam held by the vendor I'm not saying all commercial full-meal-deal products have all 5 of these components, just that they MIGHT - and there's no way to know unless the source is published. The fact that SA, alone, was able to get 50% based on heuristic checks on the body of the email only, compared to these commercial products which have such a vast possible advantage is simply stunning, when you put it in perspective. In your test installation: SA didn't virus scan SA didn't use any private blacklists SA didn't use any public blacklists SA didn't pass questionables to a more authoritative vendor-owned mainframe for scanning And yet, it still got 50% of them. I don't call that poor performance. SA had 4 of it's 5 hands tied behind it's back in your test and still got halfway there. Untie 1 or 2 more and make it an apples-to-apples comparison and it will be kicking those commercial full-meal-deal product's asses around the block Ted Martijn Grooten wrote: All, a few months back, there was a discussion on this list about the VBSpam comparative anti-spam tests[1], in which SpamAssassin performed significantly worse than many commercial products. Now I run these tests and I believe something was the matter with (the installation of) SA that made it perform so badly. For understandable reasons, none of the developers had time to help me set it up well for our test, so we decided to withdraw it for the time being. I would still love to have the product back in the test. The test is paid-for, but free for free, open source products and we made that decision because we really wanted to have SA and others in the test. Now some people offered on this list to help me and that is why I'm writing this email -- Justin is happy for the community to help me. If there are people who are willing to help me set up SA so that it runs in ideal circumstances for our test, could they reply to me off-list[2] at this address or, even better, at martijn.groo...@virusbtn.com. A couple of things: - the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise Server 11 and SA is run as a Qpsmtd-plugin; - from what is seems, all that SA was (and is) doing is doing some heuristic checks on the body of the email, which makes it catch about 50% of spam, with relatively many (several per cents) false positives; it checks every hour or so for updates, but these are rarely found; - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; - we don't white-list good senders (or blacklist bad ones) in any product, nor do we give 'feedback' to the products[4]; - I won't include SA in the test before the developers are happy with it being included: I know that some of the above rules might disproportionally disadvantage SA, so I would understand if they were to decide they wouldn't want it to be included. It is not in our intention to make SA look bad! Thanks. Martijn. [1]
Re: Need help running SA in a (comparative) anti-spam test
Martijn Grooten wrote: - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; I'm not in any way trying to jump on what you're trying to do as I firmly believe SpamAssassin can be every bit as effective, if not more so, than any commercial product in fighting spam. However, I would just like to raise one point - perhaps others can comment as to the technical correctness, but I was under the impression that the Spamhaus (and other) DNSBLs are enabled as part of the default SpamAssassin install (and weighted scoring system), so if you disable these tests because they are not free to larger volume users then you are not really testing the default product, but one in which you have disabled some of the more effective constituent parts. This IMHO would put SpamAssassin at a considerable disadvantage. To give an analogy you might be more familiar with, it's a bit like you testing an antivirus product but saying we're not going to use any signatures as these aren't free (they require a paid subscription), so will only use heuristics and then wondering why said AV product only catches 50% of your sample viruses :-/ Personally, I'd rather see you test SpamAssassin with DNSBLs such as Spamhaus enabled as per a default installation, and note that such a configuration is only free for users producing less than 100,000 queries per day (or whatever Spamhaus' current limitations are). I assume the other commercial products in your tests are tested in their default configurations?
Re: Need help running SA in a (comparative) anti-spam test
Hi, - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; Do the commercial vendors get to use publically-available DNSBLs like zen? If so, and since they use them for commercial purposes, do they license its use in cases such as for this bake-off? How does zen compare with the commercial DNSBLs that the commercial vendors have themselves and we don't have access to? Thanks, Alex
Re: spam test
http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards
Re: spam test
The last one is the lowest scoring here, look at the results: For the first mail: Content analysis details: (13.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5751] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in zen.spamhaus.org] 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The second one: Content analysis details: (14.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio 0.5 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words 0.6 SARE_SPEC_LEO_LINE03e RAW: common Leo body text 1.0 DC_IMG_HTML_RATIO RAW: Low rawbody to pixel area ratio 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The third one: Content analysis details: (14.1 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5442] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.2.4.148 listed in zen.spamhaus.org] 3.0 BOTNET BOTNET 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message And finaly, the low one: Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.3 RCVD_ILLEGAL_IPReceived: contains illegal IP address 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [12.162.173.226 listed in dnsbl.sorbs.net] I give the BOUNCE_MESSAGE a high score because the bonce backs were driving me (and my users) mad. So I just throw them away. I know it's not very RFC-something style, but works like a charm ;-) Luix 2007/4/10, Spamassassin List [EMAIL PROTECTED]: http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards -- - GNU-GPL: May The Source Be With You... -
spam test
Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt http://esmtp.webtent.net/mail2.txt http://esmtp.webtent.net/mail3.txt http://esmtp.webtent.net/mail4.txt For instance, the first one I ran on a system with bayes working and on a system without, as you can see, hardly scored :( Content analysis details: (-2.5 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- _SUMMARY_ -- Robert
Re: spam test
--- Robert Fitzpatrick [EMAIL PROTECTED] wrote: Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt http://esmtp.webtent.net/mail2.txt http://esmtp.webtent.net/mail3.txt http://esmtp.webtent.net/mail4.txt For instance, the first one I ran on a system with bayes working and on a system without, as you can see, hardly scored :( Content analysis details: (-2.5 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- _SUMMARY_ It is a pretty low score for a stock spam even with my setup which uses rulesdujour in addition to whatever spamassassin uses. Looks like you could use some blacklisting type rules or plugins: [22947] dbg: check: is spam? score=5.893 required=3.5 [22947] dbg: check: tests=BAYES_40,FORGED_RCVD_HELO,RCVD_IN_SORBS_DUL,RCVD_IN_XBL Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
Re: spam test
At 01:53 PM 4/9/2007, Robert Fitzpatrick wrote: Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=88.155.128.48,hostname=bzq-88-155-128-48.red.bezeqint.net,maildomain=natuurfoto.com,client,ipinhostname] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in sbl-xbl.spamhaus.org] http://esmtp.webtent.net/mail2.txt X-Spam-Status: No, score=2.7 required=5.0 tests=HTML_IMAGE_ONLY_16, HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_BOUND_NEXTPART,SARE_SPEC_LEO_LINE03e, SHORT_HELO_AND_INLINE_IMAGE autolearn=no version=3.1.8 http://esmtp.webtent.net/mail3.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=84.2.4.148,hostname=dsl54020494.pool.t-online.hu,maildomain=saarcom.de,client,ipinhostname,clientwords] http://esmtp.webtent.net/mail4.txt X-Spam-Status: No, score=0.2 required=5.0 tests=RCVD_ILLEGAL_IP autolearn=no version=3.1.8 That's my system...
Re: spam test
We dont use Botnet anymore, it fires on anything/everything and drives me nuts. Content analysis details: (7.5 points, 5.0 required) pts rule name description -- -- 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in zen.spamhaus.org] Evan Platt wrote: At 01:53 PM 4/9/2007, Robert Fitzpatrick wrote: Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=88.155.128.48,hostname=bzq-88-155-128-48.red.bezeqint.net,maildomain=natuurfoto.com,client,ipinhostname] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in sbl-xbl.spamhaus.org] http://esmtp.webtent.net/mail2.txt X-Spam-Status: No, score=2.7 required=5.0 tests=HTML_IMAGE_ONLY_16, HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_BOUND_NEXTPART,SARE_SPEC_LEO_LINE03e, SHORT_HELO_AND_INLINE_IMAGE autolearn=no version=3.1.8 http://esmtp.webtent.net/mail3.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=84.2.4.148,hostname=dsl54020494.pool.t-online.hu,maildomain=saarcom.de,client,ipinhostname,clientwords] http://esmtp.webtent.net/mail4.txt X-Spam-Status: No, score=0.2 required=5.0 tests=RCVD_ILLEGAL_IP autolearn=no version=3.1.8 That's my system...
Re: spam test
Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill
Re: spam test
Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? -- Robert
Re: spam test
Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill
Re: spam test
I have my trusted network setup correctly - but botnet fires on so many domains, domains which would normally like to trust. Yes its entirely possible its not set up right...but i followed the instructions as best i could. Bill Landry wrote: Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill
Re: spam test
On one server I manage, I found Botnet to be a tremendous help in tagging spam, but does produce some FPs, almost entirely because of misconfigured DNS. After notifying several mail/network admins of their fubar DNS, I got tired of trying to clean up the Internet and throttled Botnet back to 4.5 points, since it was often the only spammy factor in the FP. The only other thing I've had to do was whitelist_from_rcvd a couple of remote users who want to send mail directly through our server. I'm still a big fan of Botnet. On a related note, I once set up a new Postfix server for our local ISP to require an rDNS of a connecting client, but got a number of complaints, so I dropped that requirement. I can't fix everyone's screwed up DNS. Be nice if someone could hold their feet to the fire. IIRC, there is a major player on this list who says mail admins without a proper rDNS can go suck a rock, ... or something to that effect. Rave on, brother. On Tue, Apr 10, 2007 at 10:19:06AM +1000, Peter Russell wrote: I have my trusted network setup correctly - but botnet fires on so many domains, domains which would normally like to trust. Yes its entirely possible its not set up right...but i followed the instructions as best i could. Bill Landry wrote: Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Therefore, as God's chosen people, holy and dearly loved, clothe yourselves with compassion, kindness, humility, gentleness and patience. Colossians 3:12 (NIV)