Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
On Thu, Jan 15, 2009 at 09:06, Mark Martinec wrote: > Jonas, > >> I just found one reason for FPs in the Botnet plugin. It doesn't >> make a difference between timeouts (and other DNS errors) and >> negative answers. So if your DNS server/proxy is overloaded (or >> slow for some other reason), you'll get FPs >> >> Since 15 minutes ago, I'm running a slightly modified version of >> the plugin that tries to avoid this. > > Not to forget the long-standing DNS problem with Botnet: > > http://marc.info/?l=spamassassin-users&m=118641079630268 > http://marc.info/?l=spamassassin-users&m=120783518919154 > >> In a while I'll send a patch to the author. > > That is noble, but apparently it doesn't have any effect. Yes, clearly the fact that I didn't get around to fixing something means that I never accept fixes/suggestions/etc. from external sources. Botnet has never incorporated any such external submission. Ever. Hopefully you're smart enough to detect sarcasm.
Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
On Thu, January 15, 2009 18:06, Mark Martinec wrote: > Not to forget the long-standing DNS problem with Botnet: > http://marc.info/?l=spamassassin-users&m=118641079630268 > http://marc.info/?l=spamassassin-users&m=120783518919154 i have changed to use BadRelay from http://sa.hege.li/BadRelay.pm http://sa.hege.li/BadRelay.cf Thanks goes to Henrik for make this update >> In a while I'll send a patch to the author. > That is noble, but apparently it doesn't have any effect. we can just hope -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Jonas, > I just found one reason for FPs in the Botnet plugin. It doesn't > make a difference between timeouts (and other DNS errors) and > negative answers. So if your DNS server/proxy is overloaded (or > slow for some other reason), you'll get FPs > > Since 15 minutes ago, I'm running a slightly modified version of > the plugin that tries to avoid this. Not to forget the long-standing DNS problem with Botnet: http://marc.info/?l=spamassassin-users&m=118641079630268 http://marc.info/?l=spamassassin-users&m=120783518919154 > In a while I'll send a patch to the author. That is noble, but apparently it doesn't have any effect. Mark
RE: Temporary 'Replacements' for SaneSecurity
At 01:36 15-01-2009, Rasmus Haslund wrote: implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. Antispam tools rarely works well on a large scale. SpamAssassin has not be tested with all the different languages. You have to do your own testing and make adjustments. We do business with tons of companies that are using some cheap/free mailserver on their dsl line and then thats it - these are listed in PBL and god knows where... but if we dont get their email trough it will mean large amounts of lost revenue. I constantly have to be over the system looking to see what new trends arise. Thankfully our system in There are a few people that do that as they understand that filtering requires continuous management. SpamAssassin can be quite effective even if you are communicating with companies running mail servers on their DSL line. It is commonly said around here that SpamAssassin does not block spam. The score it generates can be used to categorize the emails you receive. From there, you can block the really bad and flag what falls in between for review. One of the advantages of SpamAssassin is that it won't flag an email as spam on the basis of a PBL listing only. blocked though no explanation from them) and 2nd some customers mailserver and im not sure how they fixed it since they dont speak any language i can understand or speak so our sales rep. for them translated a bunch of stuff from me and now it seems ok. That's one of the problems when you communicate globally. If you are seeing a lot of false positives, post some samples on a web site together with the rules that were hit. Regards, -sm
RE: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
> > I just found one reason for FPs in the Botnet plugin. It > doesn't make a difference between timeouts (and other DNS > errors) and negative answers. So if your DNS server/proxy is > overloaded (or slow for some other reason), you'll get FPs > > Since 15 minutes ago, I'm running a slightly modified version > of the plugin that tries to avoid this. In a while I'll send > a patch to the author. > > Apart from this the plugin seems to work fine here with a > score of +2 (with an extra +1 if p0f says it's a Windows system). > > Regards > /Jonas > > -- > Jonas Eckerman, FSDB & Fruktträdet Jonas, please send the patch to the list too whether or not the author does anything with it is his business, and then eventually ours. :-) it will benefit a lot of people that will choose to use your idea or patch regardless. thanks! - rh
Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Daniel J McDonald wrote: I too found botnet to be a great source of FP. By combining it with p0f it's moderately useful. I just found one reason for FPs in the Botnet plugin. It doesn't make a difference between timeouts (and other DNS errors) and negative answers. So if your DNS server/proxy is overloaded (or slow for some other reason), you'll get FPs Since 15 minutes ago, I'm running a slightly modified version of the plugin that tries to avoid this. In a while I'll send a patch to the author. Apart from this the plugin seems to work fine here with a score of +2 (with an extra +1 if p0f says it's a Windows system). Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Temporary 'Replacements' for SaneSecurity
On 1/15/2009 1:36 AM, Rasmus Haslund wrote: SM wrote: "Botnet Plugin" sounds like a plugin that detect botnets ... If Rasmus is finding that many false ositives, then he's using the wrong tools. Well I am not using the botnet plugin because i am not sure how to implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. OK, so thanks to Rob you all know what I concluded about the botnet plugin. It didn't work for us because of the very reasons Rasmus cites (too many hits on legitimate mail). However, implementing it in Merak vs any other mail server isn't the issue. You just drop the plugin .pm file and the rules .cf file into your local configuration folder and restart it. No big deal to implement. If you choose to implement it, considering my own experience, I'd score it low and monitor what it hits on for a while, creating the exceptions (whitelist entries) you need before increasing the score. It's a bit of work to make sure it won't filter out a bunch of stuff you really need. Botnet will hit stuff that other rules won't, so it has real advantages. You just have to take the time to make sure you won't be losing stuff first. Bret
RE: Temporary 'Replacements' for SaneSecurity
SM wrote: > "Botnet Plugin" sounds like a plugin that detect botnets ... If > Rasmus is finding that many false positives, then he's using the wrong > tools. Well I am not using the botnet plugin because i am not sure how to implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. We do business with tons of companies that are using some cheap/free mailserver on their dsl line and then thats it - these are listed in PBL and god knows where... but if we dont get their email trough it will mean large amounts of lost revenue. I constantly have to be over the system looking to see what new trends arise. Thankfully our system in general seems to have a good reputation when delievering emails - so far I have only 2 times seens examples where we got rejected - one time on mail.ru (we are now on their internal whitelist - dont know why we got blocked though no explanation from them) and 2nd some customers mailserver and im not sure how they fixed it since they dont speak any language i can understand or speak so our sales rep. for them translated a bunch of stuff from me and now it seems ok. Well I guess the main problem here is I cant educate the entire world or just the companies we do business with due to lack of resources but also due to the language barriers. Another example could be Commtouch which we have a subscription for at the moment. We do see wierd FP from them from time to time (talking about just a normal single email from person to person) and my point is just they do have a lot more resources dedicated to this issue that our company does. Any questions etc. I will be happy to try and answer them. Best regards Rasmus Haslund
Re: Temporary 'Replacements' for SaneSecurity
At 12:44 14-01-2009, Rob McEwen wrote: No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat incorrectly configured. It turns out that a distributor receiving legitimate business e-mail from vendors & customers in such places as Africa, South America, Asia... all over the place... is going to see a disproportionately larger amount of messages sent from IPs which either: Choosing a tool requires an understanding of what the tool can do and the task to be performed with it. We don't have to go as far as South America to to find incorrectly configured mail servers. There's currently a user on this list running one that send bounces to the wrong address. This has nothing to do with Rasmus's tools.. other than the fact that (I surmise) he is probably now forced, given that situation, back off of his scoring of DNSBls and rely more on content filtering in comparison to those whose e-mail is mostly US/Europe-based. If there is nothing wrong with Rasmus' tools, then the Botnet plugin should work for him. Now, if you are saying that the Botnet plugin should only used for those who of you who only receive mail from the US or Europe, I'll point out that it also causes false positive for that kind of mail traffic. As you mentioned above, the problem is not really with Botnet plugin if we understand that it does not detect botnets. Regards, -sm
Re: Temporary 'Replacements' for SaneSecurity
Rob McEwen a écrit : > SM wrote: >> "Botnet Plugin" sounds like a plugin that detect botnets ... If >> Rasmus is finding that many false positives, then he's using the wrong >> tools. > > No. This is just due to the fact that, unfortunately, some mail servers > and IPs (which send desired and solicited messages) are somewhat > incorrectly configured. Even with the "somewhat" qualifier, I wouldn't say "incorrectly". There is nothing incorrect in vms173003pub.verizon.net. it's an unfortunate choice in these botnet days, but it's as correct as it could be. > It turns out that a distributor receiving > legitimate business e-mail from vendors & customers in such places as > Africa, South America, Asia... all over the place... is going to see a > disproportionately larger amount of messages sent from IPs which either: > > (a) would not do so well with BotNet's analysis > ...OR... > (b) which are mixed sources of ham/spam... but simply don't have a high > enough volume of "ham" to stay off all the blacklists... particularly > some blacklists. > > This has nothing to do with Rasmus's tools.. other than the fact that (I > surmise) he is probably now forced, given that situation, back off of > his scoring of DNSBls and rely more on content filtering in comparison > to those whose e-mail is mostly US/Europe-based. >
Re: Temporary 'Replacements' for SaneSecurity
On Wed, Jan 14, 2009 at 13:06, Dave Pooser wrote: >> None of my friends are on >> services that are that poorly configured > > No friends on Verizon? Their @#$% mail servers are 70% of my FPs. Heh. Guess not :-)
Re: Temporary 'Replacements' for SaneSecurity
> None of my friends are on > services that are that poorly configured No friends on Verizon? Their @#$% mail servers are 70% of my FPs. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna
Re: Temporary 'Replacements' for SaneSecurity
SM wrote: > "Botnet Plugin" sounds like a plugin that detect botnets ... If > Rasmus is finding that many false positives, then he's using the wrong > tools. No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat incorrectly configured. It turns out that a distributor receiving legitimate business e-mail from vendors & customers in such places as Africa, South America, Asia... all over the place... is going to see a disproportionately larger amount of messages sent from IPs which either: (a) would not do so well with BotNet's analysis ...OR... (b) which are mixed sources of ham/spam... but simply don't have a high enough volume of "ham" to stay off all the blacklists... particularly some blacklists. This has nothing to do with Rasmus's tools.. other than the fact that (I surmise) he is probably now forced, given that situation, back off of his scoring of DNSBls and rely more on content filtering in comparison to those whose e-mail is mostly US/Europe-based. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
At 06:59 14-01-2009, Rob McEwen wrote: Because Rasmus manages a mail server where B2B mail is routinely sent/received _globally_, Rasmus is the king of finding FPs. I could be wrong, but judging from previous reports about the Botnet Plugin, I predict that Rasmus will either (a) find the Botnet Plugin utterly unusable due to FPs, or (b) only be able to score it by a point or two due to excessive FPs. (Rasmus--by all means--please don't take my word for it--try it out and then let us know what happened!) "Botnet Plugin" sounds like a plugin that detect botnets ... If Rasmus is finding that many false positives, then he's using the wrong tools. At 08:37 14-01-2009, Matt Garretson wrote: Is there any way that a more distributed method of delivering updates could be more resistant to DDOS attacks? E.g. trackerless bittorrents (DHT), or something along those lines? Isn't that technology certified for illegal content only? :-) Sanesecurity could have been better protected against DDOS attacks. They are a ripe target. Regards, -sm
Re: Temporary 'Replacements' for SaneSecurity
> -- Forwarded message -- > From: "Bret Miller" > To: "John Rudd" > Date: Tue, 21 Aug 2007 13:08:06 -0700 > Subject: RE: BOTNET Exceptions for Today >> Bret Miller wrote: > Maybe these aren't false positives because botnet is identifying them for > what they are-- badly configured. But to give a rule like botnet a default > score that's high enough to consider the messages spam all on its own causes > users to think we have a bad spam filtering program. > > When I see on the list that many people run botnet with ZERO false > positives, I have to ask myself, "how? And why is our setup here so > different?" Perhaps they already block email with invalid rdns at the MTA > level, so none of this ever gets looked at. Perhaps their users just give up > when they don't get email that they expect and use a free email account > instead for that email. I don't know, but botnet hits a significant amount > of legitimate email here, regardless of how badly configured the sending > servers are. > > I just don't have the option of telling our president's assistant that "we > can't accept email from your husband because the IT department at the City > of Pasadena won't fix their DNS issues for their email server." That's just > not acceptable in a corporate environment, even if she had a clue what the > statement meant besides that I was refusing to do what she wants. The > majority of these badly configured servers won't ever get fixed unless > someone that matters to them stands up and tells them they need to fix it. I > do that when I can, but most of the time I just don't matter enough to get > it done. That's why you can exempt some senders. You don't have to force the City of Pasadena to fix their mail servers. You can simply find out what their mail servers are, through various means, and give them some form of exemption/whitelisting. I did that for our chancellors wife, for example :-) I've also done it for a few of our vendors where it couldn't be fixed (the funniest example being where the marketing guy had been complaining to IT about it long before I even wrote Botnet, and the IT guys just refused to fix it... funny because the marketing guy was more cluful about best practices than the person whose job it was to actually pay attention to those best practices). That's at work. We get vanishingly few FP's at work (millions of messages per week, less than 100 tickets about it in 3-4 years (I think less than 30 tickets about it)). At home, I'm just a bastard about it. None of my friends are on services that are that poorly configured (so no need to whitelist anyone that I _would_ given a whitelist entry to). I'm not interested in anyone else's half baked excuses about why they haven't fixed it before, nor why they wont fix it in the future, so that group wouldn't get a whitelist entry even if they asked for it.
Re: Temporary 'Replacements' for SaneSecurity
On Wed, 14 Jan 2009 09:23:51 -0500, John Rudd wrote: How's it working for you, so far? On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote: On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: Guys, I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing them, but that doesn't help much with the daily grind. I appreciate that great progress is being mad re- getting the service back online again, but in the mean time was wondering ... has anyone found anything as effective as a temporary replacement or enhancement? Thanks Mup. After a loud outcry from our users from the increasing level of spam in their inboxes, I installed the Botnet Plugin. Thanks Paul I have seen one FP, but the spam level has gone down. We have been running the Botnet plugin for less than 24 hours. Thanks Paul BTW: I eagerly await the return of Sane Security.
Re: Temporary 'Replacements' for SaneSecurity
On Wed, January 14, 2009 17:33, John Hardin wrote: > Is there any other distributed content distribution system they > could use for free this way? bittorrent ? (micro$oft have problem delivering windows 7 betas from there network, opensource problems ?) :=) -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Temporary 'Replacements' for SaneSecurity
Is there any way that a more distributed method of delivering updates could be more resistant to DDOS attacks? E.g. trackerless bittorrents (DHT), or something along those lines? Just wondering in general
Re: Temporary 'Replacements' for SaneSecurity
On Wed, 14 Jan 2009, Rob McEwen wrote: QUESTIONS: Is SaneSecurity still collecting data and generating the rulesets? (but just not able to distribute them) I was wondering that myself, and was also wondering whether there was a way to leverage the Coral cache system to avoid DDoS - for example, publish a coralified URI to retrieve the rulesets, and put a firewall rule on the core SaneSecurity webserver hosting the rulesets that only passes traffic from the Coral servers. Is there any other distributed content distribution system they could use for free this way? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An operating system design that requires a system reboot in order to install a document viewing utility does not earn my respect. --- 3 days until Benjamin Franklin's 303rd Birthday
Re: Temporary 'Replacements' for SaneSecurity
si-12 wrote: > > I appreciate that great progress is being mad re- getting the service back > online again, but in the mean time was wondering ... has anyone found > anything as effective as a temporary replacement or enhancement? One rsync server is already up and running and is currently being tested, with another being added soon, to test round-robin-dns setup.. just need a little more time :) As for ClamAV's freshclam... there were (from what I can remember) plans to have Third-Party signatures, updated via freshclam and using their official distribution mirrors. Obviously, this would take time to setup.. and may have issues for how Third-Party signatures are generated. So, in the mean time... a few round-robin rsync mirrors, IPTable blocks on IP who have download too much.. is the way it's looking short-term. For those that haven't already... hop over to sanesecurity.co.uk and sign up to the list... Cheers and thanks for all the positive comments, Steve Sanesecurity -- View this message in context: http://www.nabble.com/Temporary-%27Replacements%27-for-SaneSecurity-tp21444618p21459579.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Temporary 'Replacements' for SaneSecurity
Rob McEwen wrote: > And I thing it is > probably better used as a scoring list instead of a blocking list. > oops. I meant "probably better scored below threshold", since, of course, BotNet isn't a "list". -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
John Rudd wrote: > Botnet isn't a DNSBL... > I never said it was a DNSBL. But it definitely has a particular focus on the sending IP, and that sending IP's rDNS. Therefore, for all practical purposes, it is trying to do the job of a DNSBL. As I recall, the discussion about BotNet's development centered around blocking spam based on the sending IP... where that IP didn't have time to get into the DNSBLs. You might argue that a DNSBL could never replace the BotNet Plugin because the BotNet Plugin will always catch at least some spam that hasn't had time to get into a DNSBL. Fair argument--except that this argument is greatly diminished if/when there are high-quality/low-FP DNSBLs which are fast reacting/updating/distributing. Especially since DNSBLs "scale" much better than the BotNet Plugin... and especially if/when such DNSBLS have lower FPs than the BotNet Plugin. I did a quick cursory search of discussions about BotNet Plugin FPs. See attached for an example post I quickly grabbed after searching just a few seconds. NOTE: I'm NOT saying that the BotNet Plugin is bad or shouldn't be used. I just don't see it as a SaneSecurity replacement. And I thing it is probably better used as a scoring list instead of a blocking list. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032 --- Begin Message --- > Bret Miller wrote: > > > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP > > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com > #not sure why > > this got a BOTNET=1 flag, but it did. Also find hosts 92, > 75, 70, 74, 93, > > 86, and others. All similarly resolve to > smtpnn.enews.webbuyersguide.com. > > baddns. baddns means lack of full circle DNS. In this case, > the name > returned by the PTR record (smtp22.enews.webbuyersguide.com) does not > resolve at all ... let alone not resolving back to the > sending IP address. > > > > meridiencancun.com.mx, sent from IP , resolves to > > customer-148-233-9-212.uninet-ide.com.mx #more stupidity > > > > Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, > > resolves to www2mail.wordreference.com, again no idea why > it gets flagged. > > # nslookup www2mail.wordreference.com > > Non-authoritative answer: > Name: www2mail.wordreference.com > Address: 75.126.29.11 > > baddns. > > > > AltoEdge Hardware, sent from IP 69.94.122.246, resolves to > > server.nch.com.au, another no idea why BOTNET=1, but it > does. Just out of > > curiosity, I ran this through again with debug enabled so I > could get more > > details. Here's what it says: > > > > [2472] dbg: Botnet: starting > > [2472] dbg: Botnet: no trusted relays > > [2472] dbg: Botnet: get_relay didn't find RDNS > > [2472] dbg: Botnet: IP is '69.94.122.246' > > [2472] dbg: Botnet: RDNS is 'server.nch.com.au' > > [2472] dbg: Botnet: HELO is 'server.nch.com.au' > > [2472] dbg: Botnet: sender 'adm...@server.nch.com.au' > > [2472] dbg: Botnet: hit (baddns) > > [2472] dbg: rules: ran eval rule BOTNET ==> got hit (1) > > > > I'm not sure what it means. The IP resolves to > server.nch.com.au and it > > resolves to the IP. Not sure what is "bad" about dns here. > I'm also not sure > > what headers botnet looks at. The top Received header is > ours and the others > > are all internal to the sender. > > # nslookup server.nch.com.au > > Non-authoritative answer: > Name: server.nch.com.au > Address: 69.94.122.247 > > So, server.nch.com.au's name does not resolve back to the sending IP > address, thus baddns. OK... I guess I didn't check closely enough. But the point is still that users expect these emails and complain if they don't receive them. Today's list were mostly just top offenders, and it's going to take me time to make exceptions for all the servers we receive email from that are badly configured dns-wise. Maybe these aren't false positives because botnet is identifying them for what they are-- badly configured. But to give a rule like botnet a default score that's high enough to consider the messages spam all on its own causes users to think we have a bad spam filtering program. When I see on the list that many people run botnet with ZERO false positives, I have to ask myself, "how? And why is our setup here so different?" Perhaps they already block email with invalid rdns at the MTA level, so none of this ever gets looked at. Perhaps their users just give up when they don't get email that they expect and use a free email account instead for that email. I don't know, but botnet hits a significant amount of legitimate email here, regardless of how badly configured the sending servers are. I just don't have the option of telling our president's assistant that "we can't accept email from your husband because the IT department at the City of Pasadena won't fix their DNS issues for their email server." That's just not acceptable in a corporate environment, even if she had a clue what the statement m
Re: Temporary 'Replacements' for SaneSecurity
On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote: > Rasmus Haslund wrote: > >> After a loud outcry from our users from the increasing level of spam in > >> their inboxes, I installed the Botnet >Plugin. > >> > > Is this something that can be used with the SA in Icewarp Merak? > > > > Because Rasmus manages a mail server where B2B mail is routinely > sent/received _globally_, Rasmus is the king of finding FPs. I could be > wrong, but judging from previous reports about the Botnet Plugin, I > predict that Rasmus will either (a) find the Botnet Plugin utterly > unusable due to FPs, or (b) only be able to score it by a point or two > due to excessive FPs. (Rasmus--by all means--please don't take my word > for it--try it out and then let us know what happened!) I too found botnet to be a great source of FP. By combining it with p0f it's moderately useful. But sanesecurity would be more useful... a pity we can't replicate the incremental updates that the official clamav project uses. I seem to recall that they had problems scaling until they went to that process. -- Dan McDonald, CCIE #2495, CISSP# 78281, CNX www.austinenergy.com
Re: Temporary 'Replacements' for SaneSecurity
On Wed, Jan 14, 2009 at 06:59, Rob McEwen wrote: > Regarding using the Botnet Plugin as a replacement for SaneSecurity... I > found that the _best_ part about SaneSecurity was its assistance with > catching spam that could NOT ever be caught using _any_ kind of DNSBL. Botnet isn't a DNSBL...
Re: Temporary 'Replacements' for SaneSecurity
Rasmus Haslund wrote: >> After a loud outcry from our users from the increasing level of spam in >> their inboxes, I installed the Botnet >Plugin. >> > Is this something that can be used with the SA in Icewarp Merak? > Because Rasmus manages a mail server where B2B mail is routinely sent/received _globally_, Rasmus is the king of finding FPs. I could be wrong, but judging from previous reports about the Botnet Plugin, I predict that Rasmus will either (a) find the Botnet Plugin utterly unusable due to FPs, or (b) only be able to score it by a point or two due to excessive FPs. (Rasmus--by all means--please don't take my word for it--try it out and then let us know what happened!) Regarding using the Botnet Plugin as a replacement for SaneSecurity... I found that the _best_ part about SaneSecurity was its assistance with catching spam that could NOT ever be caught using _any_ kind of DNSBL. For example, "419" scam spams sent from the large freemail providers where the message cannot possibly be blocked because of being sent from an IP that send large amounts of legit mail and because there is simply no domain in the body of the message for surbl/uribl/ivmURI to grab onto. THAT was the best part about SaneSecurity, imo. Therefore, if someone is missing SaneSecurity, I'd suggest first making sure they have Sought Rules installed and frequently updating--if not already running. QUESTIONS: Is SaneSecurity still collecting data and generating the rulesets? (but just not able to distribute them) Is there any end in sight for the DDOS? Has anyone tried to mitigate their DDOS? (There is a super-secret list out there consisting of professionals who work for all the largest ISPs and security vendors. They have ways to help mitigate these things. They look for IPs conducting the DDOS, on each of their own networks, and they simply shut those IPs down at the access point.) -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
We're already using the BotNet plugin, and it really helps. One or two FPs from time-to-time, but nothing we can't live with. We turned score done in steps to 3.0, in stages, and that seems to be just about right. FYI - also use DCC, Razor, a relatively well trained bayes database and 'standard' blacklists. We front-end SA with smf-zombie and smf-greylist milters, and that actually catches most crud before it gets anywhere near SA. Finally, we wrap everything up with MimeDefang, which deals with all the stuff SA, Clam, and the milters can't cope with. We're still in pretty good shape, but we certainly notice that the Sane Security stuff isn't there any more. Mup. --- On Wed, 14/1/09, John Rudd wrote: From: John Rudd Subject: Re: Temporary 'Replacements' for SaneSecurity To: "Paul Griffith" Cc: g_b...@yahoo.co.uk, users@spamassassin.apache.org Date: Wednesday, 14 January, 2009, 2:23 PM How's it working for you, so far? On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote: > On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: > >> Guys, >> >> I'm sure you're as sad as I am re- temporary suspension of the brilliant >> services offered by Steve Basford and is helpers at Sane Security. In a sick >> kind of way, the 'bad guys' are acknowledging the work these guys have done >> by DOSing them, but that doesn't help much with the daily grind. >> >> I appreciate that great progress is being mad re- getting the service back >> online again, but in the mean time was wondering ... has anyone found >> anything as effective as a temporary replacement or enhancement? >> >> Thanks >> >> Mup. >> > > After a loud outcry from our users from the increasing level of spam in > their inboxes, I installed the Botnet Plugin. > > Thanks > Paul >
Re: Temporary 'Replacements' for SaneSecurity
How's it working for you, so far? On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote: > On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: > >> Guys, >> >> I'm sure you're as sad as I am re- temporary suspension of the brilliant >> services offered by Steve Basford and is helpers at Sane Security. In a sick >> kind of way, the 'bad guys' are acknowledging the work these guys have done >> by DOSing them, but that doesn't help much with the daily grind. >> >> I appreciate that great progress is being mad re- getting the service back >> online again, but in the mean time was wondering ... has anyone found >> anything as effective as a temporary replacement or enhancement? >> >> Thanks >> >> Mup. >> > > After a loud outcry from our users from the increasing level of spam in > their inboxes, I installed the Botnet Plugin. > > Thanks > Paul >
RE: Temporary 'Replacements' for SaneSecurity
>After a loud outcry from our users from the increasing level of spam in their inboxes, I installed the Botnet >Plugin. Is this something that can be used with the SA in Icewarp Merak? NOWACO A/S Rasmus Haslund
Re: Temporary 'Replacements' for SaneSecurity
On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: Guys, I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing them, but that doesn't help much with the daily grind. I appreciate that great progress is being mad re- getting the service back online again, but in the mean time was wondering ... has anyone found anything as effective as a temporary replacement or enhancement? Thanks Mup. After a loud outcry from our users from the increasing level of spam in their inboxes, I installed the Botnet Plugin. Thanks Paul
Temporary 'Replacements' for SaneSecurity
Guys, I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing them, but that doesn't help much with the daily grind. I appreciate that great progress is being mad re- getting the service back online again, but in the mean time was wondering ... has anyone found anything as effective as a temporary replacement or enhancement? Thanks Mup.