On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
Nertheless, out of necessity, here is a quick hack to prevent
Botnet FPs on IPv6 connections (that came with a bunch of
emitted warnings that accompanied each such mail message).
Thank you very much for your IPv6 patch. I've seen the problem
On 06.01.2011 15:13 CE(S)T, Mark Martinec wrote:
--- Botnet.pm.ori 2007-08-06 03:53:55.0 +0200
+++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100
@@ -703,4 +703,6 @@
my ($resolver, $query, $rr, $i, @a);
+ return 1 if defined $ip $ip =~ /:/; # does not handle IPv6
+
On ons 05 jan 2011 22:52:41 CET, Michael Monnerie wrote
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores
On ons 05 jan 2011 23:10:41 CET, Lawrence @ Rogers wrote
I would remove the p0f and botnet rules if I were you. That would
solve your problem.
it will not solve it for others unless reverse dns is solved aswell
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
On 6.1.2011 0:10, Lawrence @ Rogers wrote:
I would remove the p0f and botnet rules if I were you. That would solve
your problem.
I find BOTNET an excellent addition to my SA.
TOP SPAM RULES FIRED
--
RANKRULE NAME
On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
On 6.1.2011 0:10, Lawrence @ Rogers wrote:
I would remove the p0f and botnet rules if I were you. That would solve
your problem.
I find BOTNET an excellent addition to my SA.
Of course it is, most spam is from
On 6.1.2011 15:42, Henrik K wrote:
On Thu, Jan 06, 2011 at 02:46:30PM +0200, Jari Fredriksson wrote:
On 6.1.2011 0:10, Lawrence @ Rogers wrote:
I would remove the p0f and botnet rules if I were you. That would solve
your problem.
I find BOTNET an excellent addition to my SA.
Of course
On 1/5/2011 5:11 PM, Mark Martinec wrote:
Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection,
regardless of its rDNS. If someone is interested in a quick hack
patch, I can post it.
Mark, please do post the patch. It's good to see that someone is
supporting this
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores should I tune to optimize?
--
On 1/5/11 4:52 PM, Michael Monnerie wrote:
server88-208-245-26.live-
servers.net
botnet is NOT an stock SA rule
plus, look at the silly DYNAMIC RULE LOOKING rdns.
fix rdns.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
*
On 05/01/2011 6:22 PM, Michael Monnerie wrote:
Dear list,
I received this info from a customer, whose order confirmation from the
londontheatredirect.com got marked as spam because of BOTNET* rules. Are
those rules too old, or is that server in a botnet? How to find out?
Or which rules scores
On Wed, 05 Jan 2011 18:40:41 -0330
Lawrence @ Rogers lawrencewilli...@nl.rogers.com wrote:
I would suspect that you are using non-standard rules. What's most
concerning is the old p0f rules that are looking for Windows XP. That
is dangerous and a bad thing to use as a rule (the OS of the
On 05/01/2011 8:38 PM, RW wrote:
Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero.
Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f
in a metarule. However, you might want to look into this inconsistency:
You are right about the overlapping and one
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring p0f in combination with BOTNET differently,
On 1/5/2011 5:11 PM, Mark Martinec wrote:
Combining p0f with BOTNET is indended to *reduce* the high number
of false positives that BOTNET alone produces, *at least* for the
non-windows machines. The windows hosts are left alone and are
not protected by p0f from BOTNET FP.
If someone is scoring
15 matches
Mail list logo