On Wed, 05 Jan 2011 18:40:41 -0330 "Lawrence @ Rogers" <lawrencewilli...@nl.rogers.com> wrote:
> I would suspect that you are using non-standard rules. What's most > concerning is the old p0f rules that are looking for Windows XP. That > is dangerous and a bad thing to use as a rule (the OS of the sender). Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero. Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f in a metarule. However, you might want to look into this inconsistency: 0.5 L_P0F_W Relayed through Windows OS except Windows XP 1.6 BOTNET_WIN Mail from Windows XP which seems to be in a Botnet > I would remove the p0f and botnet rules if I were you. That would > solve your problem. The BOTNET rules added-up to 4.1 points which is a bit high IMO. Also BOTNET overlaps with RDNS_DYNAMIC (and RDNS_NONE). If you had scored down RDNS_DYNAMIC and shaved a point or two off the BOTNET rules, it would have been well under threshold. BOTNET provide a useful full circle dns test, I'd keep it unless you use such a test to reject.
