Rick Macdougall wrote:
Those who like SQL might like the stuff at
http://whatever.frukt.org/p0fstats.text.shtml wich includes my
SpamAssassin plugin. :-)
If I'm reading the docs correctly, it would not be of any use to me
since spamd runs on its on separate server and p0f only supports
Rob Mangiafico wrote:
Spoke too soon on the false positives. Had it hit an ebay and amazon email
for a user. Headers below:
Thoughts?
Some configuration might be in order.
Since the plugin is very new you should probably give it some time before
considering the default config anywhere
Jonas Eckerman wrote:
Rob Mangiafico wrote:
Spoke too soon on the false positives. Had it hit an ebay and amazon
email for a user. Headers below:
Thoughts?
Some configuration might be in order.
Since the plugin is very new you should probably give it some time
before considering the
Loren Wilton wrote:
Other than the fact I tend to agree with its conclusions by looking at
those hostnames, I suppose it means that the plugin needs some special case
exceptions for ebay, paypal, and amazon.
Right, too many false positives here as well.
Maybe it will need to run after
On Tue, 28 Nov 2006, Mark Martinec wrote:
Loren Wilton wrote:
Other than the fact I tend to agree with its conclusions by looking at
those hostnames, I suppose it means that the plugin needs some special case
exceptions for ebay, paypal, and amazon.
Right, too many false positives here as
Mark Martinec wrote:
Indeed. Also coupling it with p0f (passive operating system fingerprinting)
Good idea. Should have thought of that. :-)
About p0f see:
Those who like SQL might like the stuff at
http://whatever.frukt.org/p0fstats.text.shtml wich includes my SpamAssassin
plugin. :-)
Jonas Eckerman wrote:
Mark Martinec wrote:
Indeed. Also coupling it with p0f (passive operating system
fingerprinting)
Good idea. Should have thought of that. :-)
About p0f see:
Those who like SQL might like the stuff at
http://whatever.frukt.org/p0fstats.text.shtml wich includes my
Rick Macdougall wrote:
Jonas Eckerman wrote:
Mark Martinec wrote:
Indeed. Also coupling it with p0f (passive operating system
fingerprinting)
Good idea. Should have thought of that. :-)
About p0f see:
Those who like SQL might like the stuff at
Rick,
If I'm reading the docs correctly, it would not be of any use to me
since spamd runs on its on separate server and p0f only supports local
sockets. Correct or is there a way I could use it ?
Not so.
- p0f and p0f-analyzer.pl need to be running on your MX host,
- spamd with a plugin
Mark Martinec wrote:
Daryl C. W. O'Shea,
BTW... has anyone ever got the -Q option to have p0f itself listen on a
socket to work, instead of using their own wrapper?
The core problem is that p0f needs the full TCP session specification
in a query: client and server IP address, as well as
Daryl,
Yeah, but I have the session info
Lucky you! But the difficulty of providing a p0f plugin for SA
remains, SA can only obtain its information by parsing mail header,
so there are basically just two options:
- let MTA (or amavisd) insert p0f information as a header field, or
- let SA
Hi Mark, hi list,
On Tue, Nov 28, 2006 at 08:37:21PM +0100, Mark Martinec told us:
Not so.
- p0f and p0f-analyzer.pl need to be running on your MX host,
- spamd with a plugin (or amavisd-new with its own client code
to query p0f-analyzer.pl) can be running on another host.
The
On Tue, 28 Nov 2006, John Rudd wrote:
Received: from smtp-out-4101.amazon.com (207-171-180-184.amazon.com
[207.171.180.184])
by XXX (8.11.6/8.11.6) with ESMTP id kAS2XrV04185
for XXX; Mon, 27 Nov 2006 21:33:53 -0500
This was ugly, but you could put amazon\.com in
Sven Schuster wrote:
sorry to get more OT here, but may I ask two questions regarding
p0f, as we seem to some knowledgable people here :-)
1. does anybody know if there are any problems regarding running
the mail server with p0f behind a Cisco PIX firewall?? I have two
locations (where I just
Mark Martinec wrote:
Daryl,
Yeah, but I have the session info
Lucky you! But the difficulty of providing a p0f plugin for SA
Luck of the Irish Mark! :)
remains, SA can only obtain its information by parsing mail header,
so there are basically just two options:
- let MTA (or amavisd)
Sven,
1. does anybody know if there are any problems regarding running
the mail server with p0f behind a Cisco PIX firewall??
No experience there, but PIX has a long history of badly interfering
with ESMTP protocol, so I'm not surprised it also breaks p0f fingerprints.
The 'fixup protocol
At 11:13 28-11-2006, Daryl C. W. O'Shea wrote:
BTW... has anyone ever got the -Q option to have p0f itself listen
on a socket to work, instead of using their own wrapper?
Yes, it works on a unix socket.
Regards,
-sm
On Thu, 23 Nov 2006, John Rudd wrote:
I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet submitted messages). Here's the 0.4
release.
...
So, let me know what you think. Let me know if you find any bugs, what
your hit/miss/fp stats are
Rob Mangiafico wrote:
On Thu, 23 Nov 2006, John Rudd wrote:
I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet submitted messages). Here's the 0.4
release.
...
So, let me know what you think. Let me know if you find any bugs, what
your
John Rudd wrote:
Rob Mangiafico wrote:
On Thu, 23 Nov 2006, John Rudd wrote:
I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet submitted messages). Here's the
0.4 release.
... So, let me know what you think. Let me know if you find any
On Mon, 27 Nov 2006, Daryl C. W. O'Shea wrote:
John Rudd wrote:
Rob Mangiafico wrote:
On Thu, 23 Nov 2006, John Rudd wrote:
I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet submitted messages). Here's the
0.4 release.
... So, let
On Mon, 27 Nov 2006, Rob Mangiafico wrote:
Great, thanks for confirming. Didn't want to score it that high until I
knew we'd be avoiding our own users. Been running it for a few hours, got
a few 1000 hits so far, sorted by score, and have not found a false
positive yet. So far so good!
I
So - what does botnet do and do I want it?
Thoughts?
Other than the fact I tend to agree with its conclusions by looking at those
hostnames, I suppose it means that the plugin needs some special case
exceptions for ebay, paypal, and amazon.
Maybe it will need to run after domainkeys (if that is running) to help
verify that the
(since I've recently mentioned this plugin on the mailscanner and
communigate pro mailing lists, as an effective means of catching spam
from botnets, I'm cross-posting this message)
I've changed RelayChecker's name to Botnet (since that's its real
purpose: identify potential botnet
John Rudd wrote:
a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns
function? Or is the gethostbyname() call good enough?
If they provide what you need, I think using the permsgstats object's lookup
methods would be the right thing.
I also think you should check
Mail::SpamAssassin::Plugin::
John Rudd wrote:
I hope no one has any new feature suggestions...
Not a feature suggestion, but a thoght about a small change.
Is there any specific reason why you have not put the module in
Mail::SpamAssassin::Plugin::?
To me it seems more logical to name it
They're not very well documented, unfortunately :( But it would be a
good idea. in particular, Mail::SpamAssassin::DnsResolver is much more
efficient in terms of resource usage than Net::DNS is.
For what it's worth, SpamAssassin 3.2.0 has a generalized
asynchronous-rule system in
28 matches
Mail list logo
