You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt <lm...@gmail.com> on 2007/06/24 05:52:34 UTC
Botnet Score
I have added botnet to my Spamassassin install. It seems to have
helped quite a bit so far. I am just wandering about the 5 points it
gives for a hit. Is that too much? Does it have alot of false
positives or not?
Matt
Re: Botnet Score
Posted by arni <ma...@arni.name>.
Mark Martinec schrieb:
> The accuracy of botnet can be greatly enhanced it is when tamed down
> by p0f results (passive operating system fingerprinting).
>
I cant fully agree with that because allmost all xDSL or Cable users use
some kind of hardware router which usually runs some kind of embedded
unix or propetary system which will behave like unix.
So from my experience you often see unix from the internet's point of
view where its actually windows.
arni
Re: Botnet + p0f (was: Botnet Score)
Posted by Vincent Li <vl...@vcn.bc.ca>.
On Mon, 25 Jun 2007, Jonas Eckerman wrote:
> Mark Martinec wrote:
>
>> The accuracy of botnet can be greatly enhanced it is when tamed down by
>> p0f
>> results (passive operating system fingerprinting).
>
> This is my experience as well. My Botnet scores looks like this currently:
>
> header BOTNET eval:botnet()
> score BOTNET 2.0
> meta BOTNET_WINDOWS (BOTNET && __OS_WINDOWS)
> score BOTNET_WINDOWS 1.0
> header __OS_WINDOWS p0fIP2OS =~ /Windows/i
>
>> The X-Amavis-OS-Fingerprint header field can be inserted by
>> p0f+p0fanalyzer+amavisd
>> (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
>
> Another alternative is my stuff at:
> <http://whatever.frukt.org/p0fstats.text.shtml>
>
> The stuff there uses UDP to send p0f info from the system running p0f
> (probably the firewall) to a collecting system that stores it in a database.
>
> It includes a perl module and a SpamAssassin plugin that can get info from
> the database, as well as some graph stuff.
>
> The SpamAssassin module is fairly new (about a year old), but the basic
> send/collect/store system has been in use for years here (though it has been
> modified and changed along the way).
>
> I have no idea wether my stuff is better, worse or just different than the
> stuff you mentioned above.
The p0f+p0fanalyzer+p0f plugin for SA is the same idea as yours, Mark
Martinec's p0f-analyzer.pl script listen over udp and store fingerprint information
in memory instead of database. my SA plugin simply extract the first untrusted relay ip
and send query to p0f-analyzer.pl to collect the fingerprint information and add a metadata
X-P0f-OS-Fingerprint.
I have another SA plugin which send query to p0f unix socket, in this
case, p0f-analyzer.pl is not needed, the drawback is SA has to run on MX
host and the plugin has to do extra work to deal with machine endianess.
http://bl0g.blogdns.com/spamassassin/p0f.tar
the p0f-ppc.pm works on Linux PPC distritution,p0f-x86.pm works on Linux
X86 distribution.
>
> Regards
> /Jonas
> --
> Jonas Eckerman, FSDB & Fruktträdet
> http: //whatever.frukt.org/
> http: //www.fsdb.org/
> http: //www.frukt.org/
>
>
>
> !DSPAM:3363,467fd31d318231401698275!
>
Vincent Li
http://bl0g.blogdns.com
Botnet + p0f (was: Botnet Score)
Posted by Jonas Eckerman <jo...@frukt.org>.
Mark Martinec wrote:
> The accuracy of botnet can be greatly enhanced it is when tamed down by p0f
> results (passive operating system fingerprinting).
This is my experience as well. My Botnet scores looks like this
currently:
header BOTNET eval:botnet()
score BOTNET 2.0
meta BOTNET_WINDOWS (BOTNET && __OS_WINDOWS)
score BOTNET_WINDOWS 1.0
header __OS_WINDOWS p0fIP2OS =~ /Windows/i
> The X-Amavis-OS-Fingerprint header field can be inserted by p0f+p0fanalyzer+amavisd
> (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
Another alternative is my stuff at:
<http://whatever.frukt.org/p0fstats.text.shtml>
The stuff there uses UDP to send p0f info from the system running
p0f (probably the firewall) to a collecting system that stores it
in a database.
It includes a perl module and a SpamAssassin plugin that can get
info from the database, as well as some graph stuff.
The SpamAssassin module is fairly new (about a year old), but the
basic send/collect/store system has been in use for years here
(though it has been modified and changed along the way).
I have no idea wether my stuff is better, worse or just different
than the stuff you mentioned above.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Botnet Score
Posted by Mark Martinec <Ma...@ijs.si>.
On Sunday June 24 2007 19:30:32 OliverScott wrote:
> Though BotNet is VERY effective in catching SPAM, the default score of 5 is
> way too high IMHO.
I fully agree, 5 is way too high.
> With a well trained BAYES, using a selected list of RBLs and URIBLs for
> scoring, the SARE rules, and some custom rules of my own I am confident
> that I am catching well over 90% of the SPAM hitting my server (about 5000
> emails received a week), with almost no false positives.
>
> Based on this I set BotNet to score 0.001 for all its rules (so as not to
> confuse the issue), and after a week examined its effectiveness using
> sa-stats.pl...
>
> If detected 91.7% of SPAM which is FANTASTIC!
>
> But is also fired on 9.6% of my HAM emails which is not so good :(
>
> Normally if a rule gets this higher FP then I would discard it, but given
> the amount of SPAM is catches I have left it running but set to only add 1
> to the scores of the emails it detects
The accuracy of botnet can be greatly enhanced it is when tamed down by p0f
results (passive operating system fingerprinting).
I allow botnet to contribute 2.8 points when the source is a Windows computer,
2.0 points for unclassified host, but only 0.5 points for the rest
(i.e. mostly Linux and Unix sending hosts).
My actual rules are:
meta BOTNET_W !DKIM_VERIFIED && (L_P0F_WXP || L_P0F_W) && BOTNET
score BOTNET_W 2.8
meta BOTNET_WU !DKIM_VERIFIED && L_P0F_UNKN && BOTNET
score BOTNET_WU 2.0
score BOTNET 0.1
meta BOTNET_OTHER !BOTNET_W && !BOTNET_WU && BOTNET
score BOTNET_OTHER 0.5
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/
header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/
header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/
header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64|AIX)/
header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/
score L_P0F_WXP 2.3
score L_P0F_W 1.3
score L_P0F_UNKN 0.8
score L_P0F_Unix -1.0
score L_P0F_Linux -0.1
The X-Amavis-OS-Fingerprint header field can be inserted by p0f+p0fanalyzer+amavisd
(which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
(which I haven't had a chance to try yet, but was announced at:
http://marc.info/?l=amavis-user&m=118169490428464 )
Mark
Re: Botnet Score
Posted by OliverScott <ol...@fhsinternet.com>.
Though BotNet is VERY effective in catching SPAM, the default score of 5 is
way too high IMHO.
With a well trained BAYES, using a selected list of RBLs and URIBLs for
scoring, the SARE rules, and some custom rules of my own I am confident that
I am catching well over 90% of the SPAM hitting my server (about 5000 emails
received a week), with almost no false positives.
Based on this I set BotNet to score 0.001 for all its rules (so as not to
confuse the issue), and after a week examined its effectiveness using
sa-stats.pl...
If detected 91.7% of SPAM which is FANTASTIC!
But is also fired on 9.6% of my HAM emails which is not so good :(
Normally if a rule gets this higher FP then I would discard it, but given
the amount of SPAM is catches I have left it running but set to only add 1
to the scores of the emails it detects (as this will not be enough to
greatly affect the scores of the false positive ham emails it hits) and in
this fashon it helps to up-score my SPAM enough to push it over my BAYES
training threshold and my Delete threshold.
One other benefit of BotNet is that it includes some rules which can be used
to down-score some genuine commerical emails and emails sent through an ISPs
mail servers.
My scores for BotNet are as follows:
score BOTNET 1.000
score BOTNET_CLIENT 0.100
score BOTNET_CLIENTWORDS 0.100
score BOTNET_IPINHOSTNAME 0.500
score BOTNET_SOHO -0.100
score BOTNET_SERVERWORDS -0.500
Other things you should look at are upgrading to SA 3.2.1 as this includes
URIBL_BLACK by default (another very effective rule), and possibly using the
SAGREY plugin (which uses the auto white list feature to see if an email is
the first one you have had from an address, and in this case if it looks to
be SPAM it adds a bit more to its score!).
Obviously your mileage may vary!
Oliver
Matt-123 wrote:
>
> I have added botnet to my Spamassassin install. It seems to have
> helped quite a bit so far. I am just wandering about the 5 points it
> gives for a hit. Is that too much? Does it have alot of false
> positives or not?
>
> Matt
>
>
--
View this message in context: http://www.nabble.com/Botnet-Score-tf3971206.html#a11276655
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Botnet Score
Posted by arni <ma...@arni.name>.
Matt schrieb:
> I have added botnet to my Spamassassin install. It seems to have
> helped quite a bit so far. I am just wandering about the 5 points it
> gives for a hit. Is that too much? Does it have alot of false
> positives or not?
>
> Matt
>
i'm using the default 5 and until now i had one false positive (but
bayes and awl saved it)
thinking about it i might reduce the score to 3, but not lower because
its really doing a great job over here
arni
Re: Botnet Score
Posted by arni <ma...@arni.name>.
Jari Fredriksson schrieb:
>
>
>> 127.0.0.1 should be automatically trusted and you should add all your
>> MX'es ip's so botnet can work properly
>>
>
> Add to where? I have internal_networks and trusted_networks set up in local.cf
>
>
then that should be ok
Re: Botnet Score
Posted by Jari Fredriksson <ja...@iki.fi>.
>127.0.0.1 should be automatically trusted and you should add all your
>MX'es ip's so botnet can work properly
Add to where? I have internal_networks and trusted_networks set up in local.cf
Re: Botnet Score
Posted by arni <ma...@arni.name>.
Jari Fredriksson schrieb:
> Matthias Haegele wrote:
>
>> Jari Fredriksson schrieb:
>>
>>> Matt wrote:
>>>
>>>> I have added botnet to my Spamassassin install. It seems to have
>>>> helped quite a bit so far. I am just wandering about the 5 points
>>>> it gives for a hit. Is that too much? Does it have alot of false
>>>> positives or not?
>>>>
>>>> Matt
>>>>
>>> I have yet to see a hit, none so far in production (botnet been on
>>> for 5 days now).
>>>
>> Perhaps you use greylisting or similiar solutions already, or messages
>> get blocked by Blacklists on MTA-Level?
>>
>>
>
> No, no such measures. But starting spamd -D tells this
>
> Seems that botnet disables itself?
>
> "No trusted relays?"
>
>
127.0.0.1 should be automatically trusted and you should add all your
MX'es ip's so botnet can work properly
arni
Re: Botnet Score
Posted by John Rudd <jr...@ucsc.edu>.
Jari Fredriksson wrote:
> Matthias Haegele wrote:
>> Jari Fredriksson schrieb:
>>> Matt wrote:
>>>> I have added botnet to my Spamassassin install. It seems to have
>>>> helped quite a bit so far. I am just wandering about the 5 points
>>>> it gives for a hit. Is that too much? Does it have alot of false
>>>> positives or not?
>>>>
>>>> Matt
>>> I have yet to see a hit, none so far in production (botnet been on
>>> for 5 days now).
>> Perhaps you use greylisting or similiar solutions already, or messages
>> get blocked by Blacklists on MTA-Level?
>>
>
> No, no such measures. But starting spamd -D tells this
> [24069] dbg: Botnet: All skipped/no untrusted
> [24069] dbg: Botnet: BADDNS skipped
That means that the messages you're testing with are only coming from IP
addresses you trust. Since Botnet skips looking at your own trusted
relays, in trying to find "the host that submitted the message to your
group of systems", that means it's having the same effect as the "all
trusted" rule.
Basically Botnet is telling you "this came from one of your own
machines, and I'm assuming you don't have a locally installed botnet,
thus I'm not going to waste time on figuring out anything for this message."
Re: Botnet Score
Posted by Jari Fredriksson <ja...@iki.fi>.
Matthias Haegele wrote:
> Jari Fredriksson schrieb:
>> Matt wrote:
>>> I have added botnet to my Spamassassin install. It seems to have
>>> helped quite a bit so far. I am just wandering about the 5 points
>>> it gives for a hit. Is that too much? Does it have alot of false
>>> positives or not?
>>>
>>> Matt
>>
>> I have yet to see a hit, none so far in production (botnet been on
>> for 5 days now).
>
> Perhaps you use greylisting or similiar solutions already, or messages
> get blocked by Blacklists on MTA-Level?
>
No, no such measures. But starting spamd -D tells this
24069] dbg: Botnet: checking BADDNS
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: BADDNS skipped
[24069] dbg: Botnet: checking CLIENTWORDS
[24069] dbg: Botnet: client words regexp is((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b)
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: CLIENTWORDS skipped
[24069] dbg: Botnet: checking SERVERWORDS
[24069] dbg: Botnet: server words list is((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d))|((\b|\d)exc)
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: SERVERWORDS skipped
[24069] dbg: Botnet: starting
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: skipping
[24069] dbg: Botnet: checking IPINHOSTNAME
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: IPINHOSTNAME skipped
[24069] dbg: Botnet: checking for CLIENT
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: CLIENT skipped
[24069] dbg: Botnet: checking for SOHO server
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: SOHO skipped
[24069] dbg: Botnet: checking NORDNS
[24069] dbg: Botnet: no trusted relays
[24069] dbg: Botnet: All skipped/no untrusted
[24069] dbg: Botnet: NORDNS skipped
Seems that botnet disables itself?
"No trusted relays?"
Re: Botnet Score
Posted by John Rudd <jr...@ucsc.edu>.
Matthias Haegele wrote:
> Jari Fredriksson schrieb:
>> Matt wrote:
>>> I have added botnet to my Spamassassin install. It seems to have
>>> helped quite a bit so far. I am just wandering about the 5 points it
>>> gives for a hit. Is that too much? Does it have alot of false
>>> positives or not?
>>>
>>> Matt
>>
>> I have yet to see a hit, none so far in production (botnet been on for
>> 5 days now).
>
> Perhaps you use greylisting or similiar solutions already, or messages
> get blocked by Blacklists on MTA-Level?
>
In my experience, there are 3 things that have a really heavy overlap in
effectiveness:
1) aggressive greet-pause/greeting-delay (say, 25+ seconds)
2) greylisting
3) Botnet
Each one will leak a little bit that the others can catch, but generally
speaking, if you're doing one, you wont see much benefit with the
others. Since they happen in the above order, that means that the
aggressive greet-pause will keep you from seeing as much benefits with
the others. The advantage of lessening your reliance on the lower
numbered techniques is: less severe impact from false-positives (a
false-positive from greet-pause, on a host that refuses to wait out your
delay duration, is effectively blacklisted from ever talking to you, for
example; but a host that triggers Botnet, even if you have a score of 5,
is just going to get put into your spam folder or quarantine -- no where
near as bad).
Then you add to that that since I last really analyzed this,
pbl.spamhaus.org came into existence. That also seems to have some
overlap with the purpose of Botnet. I'm not sure exactly how to add it
to the above list, except that it comes before #3.
So, if you're doing zen.spamhaus.org or pbl.spamhaus.org as a block
list, some amount of greet-pause, AND greylisting ... then Botnet may
only trigger on a few messages.
Re: Botnet Score
Posted by Matthias Haegele <mh...@linuxrocks.dyndns.org>.
Jari Fredriksson schrieb:
> Matt wrote:
>> I have added botnet to my Spamassassin install. It seems to have
>> helped quite a bit so far. I am just wandering about the 5 points it
>> gives for a hit. Is that too much? Does it have alot of false
>> positives or not?
>>
>> Matt
>
> I have yet to see a hit, none so far in production (botnet been on for 5 days now).
Perhaps you use greylisting or similiar solutions already, or messages
get blocked by Blacklists on MTA-Level?
> spamassassin -D --lint triggers one botnet hit, but not real spam for me :/
>
>
--
Grüsse/Greetings
MH
Dont send mail to: ubecatcher@linuxrocks.dyndns.org
--
Re: Botnet Score
Posted by Jari Fredriksson <ja...@iki.fi>.
Matt wrote:
> I have added botnet to my Spamassassin install. It seems to have
> helped quite a bit so far. I am just wandering about the 5 points it
> gives for a hit. Is that too much? Does it have alot of false
> positives or not?
>
> Matt
I have yet to see a hit, none so far in production (botnet been on for 5 days now).
spamassassin -D --lint triggers one botnet hit, but not real spam for me :/
RE: Botnet Score
Posted by Gary V <mr...@hotmail.com>.
>I have added botnet to my Spamassassin install. It seems to have
>helped quite a bit so far. I am just wandering about the 5 points it
>gives for a hit. Is that too much? Does it have alot of false
>positives or not?
>
>Matt
Here is a related post. I use a score of 2.0.
http://marc.info/?l=spamassassin-users&m=116670325102150
Gary V
_________________________________________________________________
Hotmail to go? Get your Hotmail, news, sports and much more!
http://mobile.msn.com