On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm still a bit vague on how the SpamAssassin rules fit together but > I've noticed that, since upgrading to the latest version, I'm getting a > lot of false positives. > > The common cause seems to be Botnet.cf.
Botnet is very aggressive by default. Combining it with p0f it is almost useful. setting up p0f support is a non-trivial exercise, for which there are good articles in the archives that would explain it much better than I could do here. My rules are: meta BOTNET_WXP !DKIM_VERIFIED && !DK_VERIFIED && L_P0F_WXP && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0 score BOTNET_WXP 3.2 meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && ( L_P0F_W || L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0 score BOTNET_W 2.0 meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS +BOTNET_NORDNS) > 0 score BOTNET_OTHER 0.5 I'm still getting a trickle of false positives, but that seems to be much more realistic than 5 for everything. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
