Re: Temporary 'Replacements' for SaneSecurity

[Bret Miller]

On 1/15/2009 1:36 AM, Rasmus Haslund wrote: SM wrote: "Botnet Plugin" sounds like a plugin that detect botnets ... If Rasmus is finding that many false ositives, then he's using the wrong tools. Well I am not using the botnet plugin because i am not sure how to implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. OK, so thanks to Rob you all know what I concluded about the botnet plugin. It didn't work for us because of the very reasons Rasmus cites (too many hits on legitimate mail). However, implementing it in Merak vs any other mail server isn't the issue. You just drop the plugin .pm file and the rules .cf file into your local configuration folder and restart it. No big deal to implement. If you choose to implement it, considering my own experience, I'd score it low and monitor what it hits on for a while, creating the exceptions (whitelist entries) you need before increasing the score. It's a bit of work to make sure it won't filter out a bunch of stuff you really need. Botnet will hit stuff that other rules won't, so it has real advantages. You just have to take the time to make sure you won't be losing stuff first. Bret