Michael, > P0f is right, but regexp on sample rule causes false positive. > Number is high enough that it almost always pushes total score > 5. > X-Amavis-OS-Fingerprint: Windows XP SP1+, 2000 SP3, (distance 11, link: > System is confirmed to be a windows 2000 server, SP3. > > This rule is too broad: > header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP/
This was mentioned not that long ago on amavis and on the SA list. My current settings are: header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/ score L_P0F_WXP 2.3 header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ score L_P0F_W 1.4 header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/ score L_P0F_UNKN 0.8 header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/ score L_P0F_Unix -1.0 header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/ score L_P0F_Linux -0.1 Combined with Botnet-0.7 plugin rules I have: meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && (L_P0F_WXP || L_P0F_W || L_P0F_UNKN) && BOTNET score BOTNET_W 3.0 score BOTNET 0.1 meta BOTNET_OTHER !BOTNET_W && BOTNET score BOTNET_OTHER 0.5 Mark ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
