On Wed, 17 Mar 2010 17:34:08 -0400 Micah Anderson <mi...@riseup.net> wrote:
> > Hi, > > I've been using the Botnet plugin version 0.8 for some time now, and > the plugin itself has been around since 2003 or so. I'm just curious > to test the waters and see what other's think about the relevance in > 2010 of this plugin. Does it still contribute in positive ways to > your setup? I do not see a newer version of the plugin since 2007, is > there a newer version than 0.8? What it's trying to do hasn't really changed. There was a report that IPv6 connections FP though. IMO much of the functionality in botnet should be brought into the core so everything integrates better. There are already some overlapping tests, but they are patchy and incoherent. The most important thing is to fix the problem of missing rdns either by infilling or simply a means to tell SA which MX servers don't support it. > Did you do any configuration of it beyond its defaults? Chiefly the default score is a bit too high. > Does the > proliferation of individuals on dynamically assigned cable/dsl modems > cause the plugin to misfire too often? The whole point of the plugin is to detect such accounts when they are delivering direct to MX. The FP's tend to be real mail-servers that have odd dns. In this day and age no-one with a dynamic address should deliver direct to MX. > I've had a number of complaints somewhat recently about the last > point, and I don't have much of a solution to the situation where a > user is stuck with the dynamically assigned IP that previously a > spammer was occupying, except to explain that is the situation and > eventually it will change. This has nothing to do with Botnet, and it shouldn't have much of an effect - provided they are sending through a smarthost. The blocklists that contain Botnets only run on the last external address to avoid that problem.
