On Mon, 8 May 2017 18:44:41 -0500 (CDT) David B Funk wrote: > Years ago I dropped the default Botnet score (5.0) way down because > of FPs like this.
The monolithic BOTNET rule is doing something analogous to (RDNS_DYNAMIC || NO_RDNS). I don't use that, I bring out the individual BOTNET subrules and meta them with RDNS_DYNAMIC and NO_RDNS to produce replacements for those two rules.
