On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: > Benny Pedersen wrote: > >> i have changed to use BadRelay from > >> http://sa.hege.li/BadRelay.pm >> http://sa.hege.li/BadRelay.cf > > After reading BadRelay.pm I see that it does not really replace Botnet. > > Some of the differences in what is checked are due to Botnet doing > DNS-lookups while BadRelay avoids that. That's fair enough since one of > the points of BadRelay is to avoid those lookups. It does mean that > BadRelay has less info to base decisions on than Botnet though.
Less info only if you are running a sad MTA, that doesn't properly resolve. I guess the SOHO rule is exception, but I've never seen a need for it myself. You can always whitelist such minority cases by hand. > One differences is simply due to the fact that all Badrelay does is the > simple regexp matches. BadRelay doesn't have Botnet's check for IP in > host name, wich it could do without DNS lookups. Check for IP in hostname? Does anyone have actual stats, that it's somehow better than a generic \d+-\d+ regex or whatever? Sometimes it's just better to KISS. Btw, I haven't touched BadRelay in ages, since all these "dynamic" etc checks should be done in MTA. I pretty much don't get anything through to SA that would get hit by it. > What would be nice though would be a plugin that: > ... All this should be generic SA stuff.. :) If only someone would have time to revamp the current (old) rules.