Matthias Haegele wrote:
Jari Fredriksson schrieb:
Matt wrote:
I have added botnet to my Spamassassin install. It seems to have
helped quite a bit so far. I am just wandering about the 5 points it
gives for a hit. Is that too much? Does it have alot of false
positives or not?
Matt
I have yet to see a hit, none so far in production (botnet been on for
5 days now).
Perhaps you use greylisting or similiar solutions already, or messages
get blocked by Blacklists on MTA-Level?
In my experience, there are 3 things that have a really heavy overlap in
effectiveness:
1) aggressive greet-pause/greeting-delay (say, 25+ seconds)
2) greylisting
3) Botnet
Each one will leak a little bit that the others can catch, but generally
speaking, if you're doing one, you wont see much benefit with the
others. Since they happen in the above order, that means that the
aggressive greet-pause will keep you from seeing as much benefits with
the others. The advantage of lessening your reliance on the lower
numbered techniques is: less severe impact from false-positives (a
false-positive from greet-pause, on a host that refuses to wait out your
delay duration, is effectively blacklisted from ever talking to you, for
example; but a host that triggers Botnet, even if you have a score of 5,
is just going to get put into your spam folder or quarantine -- no where
near as bad).
Then you add to that that since I last really analyzed this,
pbl.spamhaus.org came into existence. That also seems to have some
overlap with the purpose of Botnet. I'm not sure exactly how to add it
to the above list, except that it comes before #3.
So, if you're doing zen.spamhaus.org or pbl.spamhaus.org as a block
list, some amount of greet-pause, AND greylisting ... then Botnet may
only trigger on a few messages.
