You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by si <g_...@yahoo.co.uk> on 2009/01/13 11:28:42 UTC
Temporary 'Replacements' for SaneSecurity
Guys,
I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing them, but that doesn't help much with the daily grind.
I appreciate that great progress is being mad re- getting the service back online again, but in the mean time was wondering ... has anyone found anything as effective as a temporary replacement or enhancement?
Thanks
Mup.
Re: Temporary 'Replacements' for SaneSecurity
Posted by John Rudd <jr...@ucsc.edu>.
On Wed, Jan 14, 2009 at 13:06, Dave Pooser <da...@pooserville.com> wrote:
>> None of my friends are on
>> services that are that poorly configured
>
> No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
Heh. Guess not :-)
Re: Temporary 'Replacements' for SaneSecurity
Posted by Dave Pooser <da...@pooserville.com>.
> None of my friends are on
> services that are that poorly configured
No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna
Re: Temporary 'Replacements' for SaneSecurity
Posted by John Rudd <jr...@ucsc.edu>.
> ---------- Forwarded message ----------
> From: "Bret Miller" <br...@wcg.org>
> To: "John Rudd" <jr...@ucsc.edu>
> Date: Tue, 21 Aug 2007 13:08:06 -0700
> Subject: RE: BOTNET Exceptions for Today
>> Bret Miller wrote:
> Maybe these aren't false positives because botnet is identifying them for
> what they are-- badly configured. But to give a rule like botnet a default
> score that's high enough to consider the messages spam all on its own causes
> users to think we have a bad spam filtering program.
>
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how? And why is our setup here so
> different?" Perhaps they already block email with invalid rdns at the MTA
> level, so none of this ever gets looked at. Perhaps their users just give up
> when they don't get email that they expect and use a free email account
> instead for that email. I don't know, but botnet hits a significant amount
> of legitimate email here, regardless of how badly configured the sending
> servers are.
>
> I just don't have the option of telling our president's assistant that "we
> can't accept email from your husband because the IT department at the City
> of Pasadena won't fix their DNS issues for their email server." That's just
> not acceptable in a corporate environment, even if she had a clue what the
> statement meant besides that I was refusing to do what she wants. The
> majority of these badly configured servers won't ever get fixed unless
> someone that matters to them stands up and tells them they need to fix it. I
> do that when I can, but most of the time I just don't matter enough to get
> it done.
That's why you can exempt some senders. You don't have to force the
City of Pasadena to fix their mail servers. You can simply find out
what their mail servers are, through various means, and give them some
form of exemption/whitelisting. I did that for our chancellors wife,
for example :-) I've also done it for a few of our vendors where it
couldn't be fixed (the funniest example being where the marketing guy
had been complaining to IT about it long before I even wrote Botnet,
and the IT guys just refused to fix it... funny because the marketing
guy was more cluful about best practices than the person whose job it
was to actually pay attention to those best practices).
That's at work. We get vanishingly few FP's at work (millions of
messages per week, less than 100 tickets about it in 3-4 years (I
think less than 30 tickets about it)).
At home, I'm just a bastard about it. None of my friends are on
services that are that poorly configured (so no need to whitelist
anyone that I _would_ given a whitelist entry to). I'm not interested
in anyone else's half baked excuses about why they haven't fixed it
before, nor why they wont fix it in the future, so that group wouldn't
get a whitelist entry even if they asked for it.
Re: Temporary 'Replacements' for SaneSecurity
Posted by Rob McEwen <ro...@invaluement.com>.
Rob McEwen wrote:
> And I thing it is
> probably better used as a scoring list instead of a blocking list.
>
oops. I meant "probably better scored below threshold", since, of
course, BotNet isn't a "list".
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
Posted by Rob McEwen <ro...@invaluement.com>.
John Rudd wrote:
> Botnet isn't a DNSBL...
>
I never said it was a DNSBL.
But it definitely has a particular focus on the sending IP, and that
sending IP's rDNS. Therefore, for all practical purposes, it is trying
to do the job of a DNSBL. As I recall, the discussion about BotNet's
development centered around blocking spam based on the sending IP...
where that IP didn't have time to get into the DNSBLs.
You might argue that a DNSBL could never replace the BotNet Plugin
because the BotNet Plugin will always catch at least some spam that
hasn't had time to get into a DNSBL. Fair argument--except that this
argument is greatly diminished if/when there are high-quality/low-FP
DNSBLs which are fast reacting/updating/distributing. Especially since
DNSBLs "scale" much better than the BotNet Plugin... and especially
if/when such DNSBLS have lower FPs than the BotNet Plugin.
I did a quick cursory search of discussions about BotNet Plugin FPs. See
attached for an example post I quickly grabbed after searching just a
few seconds.
NOTE: I'm NOT saying that the BotNet Plugin is bad or shouldn't be used.
I just don't see it as a SaneSecurity replacement. And I thing it is
probably better used as a scoring list instead of a blocking list.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
Posted by John Rudd <jr...@ucsc.edu>.
On Wed, Jan 14, 2009 at 06:59, Rob McEwen <ro...@invaluement.com> wrote:
> Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
> found that the _best_ part about SaneSecurity was its assistance with
> catching spam that could NOT ever be caught using _any_ kind of DNSBL.
Botnet isn't a DNSBL...
RE: Temporary 'Replacements' for SaneSecurity
Posted by SM <sm...@resistor.net>.
At 01:36 15-01-2009, Rasmus Haslund wrote:
>implement it with the SA engine running in Icewarp Merak. Anyway we do
>have alot of problems with FP when we try out new things and I just have
>to say some things just does not work good on a large scale where you
>have to deal with all kinds og languages from all over the world.
Antispam tools rarely works well on a large scale. SpamAssassin has
not be tested with all the different languages. You have to do your
own testing and make adjustments.
>We do business with tons of companies that are using some cheap/free
>mailserver on their dsl line and then thats it - these are listed in PBL
>and god knows where... but if we dont get their email trough it will
>mean large amounts of lost revenue. I constantly have to be over the
>system looking to see what new trends arise. Thankfully our system in
There are a few people that do that as they understand that filtering
requires continuous management. SpamAssassin can be quite effective
even if you are communicating with companies running mail servers on
their DSL line. It is commonly said around here that SpamAssassin
does not block spam. The score it generates can be used to
categorize the emails you receive. From there, you can block the
really bad and flag what falls in between for review. One of the
advantages of SpamAssassin is that it won't flag an email as spam on
the basis of a PBL listing only.
>blocked though no explanation from them) and 2nd some customers
>mailserver and im not sure how they fixed it since they dont speak any
>language i can understand or speak so our sales rep. for them translated
>a bunch of stuff from me and now it seems ok.
That's one of the problems when you communicate globally.
If you are seeing a lot of false positives, post some samples on a
web site together with the rules that were hit.
Regards,
-sm
RE: Temporary 'Replacements' for SaneSecurity
Posted by Rasmus Haslund <ra...@nowaco.com>.
SM wrote:
> "Botnet Plugin" sounds like a plugin that detect botnets ... If
> Rasmus is finding that many false positives, then he's using the wrong
> tools.
Well I am not using the botnet plugin because i am not sure how to
implement it with the SA engine running in Icewarp Merak. Anyway we do
have alot of problems with FP when we try out new things and I just have
to say some things just does not work good on a large scale where you
have to deal with all kinds og languages from all over the world.
We do business with tons of companies that are using some cheap/free
mailserver on their dsl line and then thats it - these are listed in PBL
and god knows where... but if we dont get their email trough it will
mean large amounts of lost revenue. I constantly have to be over the
system looking to see what new trends arise. Thankfully our system in
general seems to have a good reputation when delievering emails - so far
I have only 2 times seens examples where we got rejected - one time on
mail.ru (we are now on their internal whitelist - dont know why we got
blocked though no explanation from them) and 2nd some customers
mailserver and im not sure how they fixed it since they dont speak any
language i can understand or speak so our sales rep. for them translated
a bunch of stuff from me and now it seems ok.
Well I guess the main problem here is I cant educate the entire world or
just the companies we do business with due to lack of resources but also
due to the language barriers.
Another example could be Commtouch which we have a subscription for at
the moment.
We do see wierd FP from them from time to time (talking about just a
normal single email from person to person) and my point is just they do
have a lot more resources dedicated to this issue that our company does.
Any questions etc. I will be happy to try and answer them.
Best regards
Rasmus Haslund
Re: Temporary 'Replacements' for SaneSecurity
Posted by SM <sm...@resistor.net>.
At 12:44 14-01-2009, Rob McEwen wrote:
>No. This is just due to the fact that, unfortunately, some mail servers
>and IPs (which send desired and solicited messages) are somewhat
>incorrectly configured. It turns out that a distributor receiving
>legitimate business e-mail from vendors & customers in such places as
>Africa, South America, Asia... all over the place... is going to see a
>disproportionately larger amount of messages sent from IPs which either:
Choosing a tool requires an understanding of what the tool can do and
the task to be performed with it. We don't have to go as far as
South America to to find incorrectly configured mail
servers. There's currently a user on this list running one that send
bounces to the wrong address.
>This has nothing to do with Rasmus's tools.. other than the fact that (I
>surmise) he is probably now forced, given that situation, back off of
>his scoring of DNSBls and rely more on content filtering in comparison
>to those whose e-mail is mostly US/Europe-based.
If there is nothing wrong with Rasmus' tools, then the Botnet plugin
should work for him. Now, if you are saying that the Botnet plugin
should only used for those who of you who only receive mail from the
US or Europe, I'll point out that it also causes false positive for
that kind of mail traffic. As you mentioned above, the problem is
not really with Botnet plugin if we understand that it does not detect botnets.
Regards,
-sm
Re: Temporary 'Replacements' for SaneSecurity
Posted by mouss <mo...@ml.netoyen.net>.
Rob McEwen a écrit :
> SM wrote:
>> "Botnet Plugin" sounds like a plugin that detect botnets ... If
>> Rasmus is finding that many false positives, then he's using the wrong
>> tools.
>
> No. This is just due to the fact that, unfortunately, some mail servers
> and IPs (which send desired and solicited messages) are somewhat
> incorrectly configured.
Even with the "somewhat" qualifier, I wouldn't say "incorrectly". There
is nothing incorrect in vms173003pub.verizon.net. it's an unfortunate
choice in these botnet days, but it's as correct as it could be.
> It turns out that a distributor receiving
> legitimate business e-mail from vendors & customers in such places as
> Africa, South America, Asia... all over the place... is going to see a
> disproportionately larger amount of messages sent from IPs which either:
>
> (a) would not do so well with BotNet's analysis
> ...OR...
> (b) which are mixed sources of ham/spam... but simply don't have a high
> enough volume of "ham" to stay off all the blacklists... particularly
> some blacklists.
>
> This has nothing to do with Rasmus's tools.. other than the fact that (I
> surmise) he is probably now forced, given that situation, back off of
> his scoring of DNSBls and rely more on content filtering in comparison
> to those whose e-mail is mostly US/Europe-based.
>
Re: Temporary 'Replacements' for SaneSecurity
Posted by Rob McEwen <ro...@invaluement.com>.
SM wrote:
> "Botnet Plugin" sounds like a plugin that detect botnets ... If
> Rasmus is finding that many false positives, then he's using the wrong
> tools.
No. This is just due to the fact that, unfortunately, some mail servers
and IPs (which send desired and solicited messages) are somewhat
incorrectly configured. It turns out that a distributor receiving
legitimate business e-mail from vendors & customers in such places as
Africa, South America, Asia... all over the place... is going to see a
disproportionately larger amount of messages sent from IPs which either:
(a) would not do so well with BotNet's analysis
...OR...
(b) which are mixed sources of ham/spam... but simply don't have a high
enough volume of "ham" to stay off all the blacklists... particularly
some blacklists.
This has nothing to do with Rasmus's tools.. other than the fact that (I
surmise) he is probably now forced, given that situation, back off of
his scoring of DNSBls and rely more on content filtering in comparison
to those whose e-mail is mostly US/Europe-based.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Temporary 'Replacements' for SaneSecurity
Posted by SM <sm...@resistor.net>.
At 06:59 14-01-2009, Rob McEwen wrote:
>Because Rasmus manages a mail server where B2B mail is routinely
>sent/received _globally_, Rasmus is the king of finding FPs. I could be
>wrong, but judging from previous reports about the Botnet Plugin, I
>predict that Rasmus will either (a) find the Botnet Plugin utterly
>unusable due to FPs, or (b) only be able to score it by a point or two
>due to excessive FPs. (Rasmus--by all means--please don't take my word
>for it--try it out and then let us know what happened!)
"Botnet Plugin" sounds like a plugin that detect botnets ... If
Rasmus is finding that many false positives, then he's using the wrong tools.
At 08:37 14-01-2009, Matt Garretson wrote:
>Is there any way that a more distributed method of delivering
>updates could be more resistant to DDOS attacks? E.g.
>trackerless bittorrents (DHT), or something along those lines?
Isn't that technology certified for illegal content only? :-)
Sanesecurity could have been better protected against DDOS
attacks. They are a ripe target.
Regards,
-sm
Re: Temporary 'Replacements' for SaneSecurity
Posted by Benny Pedersen <me...@junc.org>.
On Wed, January 14, 2009 17:33, John Hardin wrote:
> Is there any other distributed content distribution system they
> could use for free this way?
bittorrent ?
(micro$oft have problem delivering windows 7 betas from there
network, opensource problems ?) :=)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Temporary 'Replacements' for SaneSecurity
Posted by John Hardin <jh...@impsec.org>.
On Wed, 14 Jan 2009, Rob McEwen wrote:
> QUESTIONS:
>
> Is SaneSecurity still collecting data and generating the rulesets? (but
> just not able to distribute them)
I was wondering that myself, and was also wondering whether there was a
way to leverage the Coral cache system to avoid DDoS - for example,
publish a coralified URI to retrieve the rulesets, and put a firewall rule
on the core SaneSecurity webserver hosting the rulesets that only passes
traffic from the Coral servers.
Is there any other distributed content distribution system they could use
for free this way?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An operating system design that requires a system reboot in order to
install a document viewing utility does not earn my respect.
-----------------------------------------------------------------------
3 days until Benjamin Franklin's 303rd Birthday
Re: Botnet plugin
Posted by Benny Pedersen <me...@junc.org>.
On Sun, January 18, 2009 19:03, mouss wrote:
> This may not be a problem for you, but other people may want to
> score if PTR is dynamic (even if helo is not).
and reject in mta if both is dynamic :)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Botnet plugin
Posted by mouss <mo...@ml.netoyen.net>.
Henrik K a écrit :
> On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote:
>> Henrik K a écrit :
>[snip]
>>> Less info only if you are running a sad MTA, that doesn't properly resolve.
>> not completely true.
>>
>> $ host 220.174.1.163
>> 163.1.174.220.in-addr.arpa domain name pointer
>> 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn.
>> $ host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn
>> Host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn not found: 3(NXDOMAIN)
>>
>> if you get a message from this IP, postfix will set the name to
>> "unknown". so you won't detect that the PTR is dynamic.
>>
>> and "unknown" is also used if there is a dns failure, or if the PTR
>> doesn't "confirm" (ip -> ptr -> different IP). so you can't treat all
>> "unknown" similarly.
>>
>> I know you can block the IP in postfix (I block the whole
>> dynamic.163data.com.cn), but this is just an example (I'm too lazy to
>> look for a better one), and I hope you see my point.
>
> Well, for what it matters, unknown is fine by mine. I greylist all of them.
> I block unknowns that are in any BLs. I don't directly block hostnames with
> dynamic content (only known bad isps), but I do block dynamic helos. I don't
> see any problems on what you said.
>
I only meant that you can have "less infos" even with a not so "sad MTA".
This may not be a problem for you, but other people may want to score if
PTR is dynamic (even if helo is not).
Re: Botnet plugin
Posted by Henrik K <he...@hege.li>.
On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote:
> Henrik K a écrit :
> > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
> >> Benny Pedersen wrote:
> >>
> >>> i have changed to use BadRelay from
> >>> http://sa.hege.li/BadRelay.pm
> >>> http://sa.hege.li/BadRelay.cf
> >> After reading BadRelay.pm I see that it does not really replace Botnet.
> >>
> >> Some of the differences in what is checked are due to Botnet doing
> >> DNS-lookups while BadRelay avoids that. That's fair enough since one of
> >> the points of BadRelay is to avoid those lookups. It does mean that
> >> BadRelay has less info to base decisions on than Botnet though.
> >
> > Less info only if you are running a sad MTA, that doesn't properly resolve.
>
> not completely true.
>
> $ host 220.174.1.163
> 163.1.174.220.in-addr.arpa domain name pointer
> 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn.
> $ host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn
> Host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn not found: 3(NXDOMAIN)
>
> if you get a message from this IP, postfix will set the name to
> "unknown". so you won't detect that the PTR is dynamic.
>
> and "unknown" is also used if there is a dns failure, or if the PTR
> doesn't "confirm" (ip -> ptr -> different IP). so you can't treat all
> "unknown" similarly.
>
> I know you can block the IP in postfix (I block the whole
> dynamic.163data.com.cn), but this is just an example (I'm too lazy to
> look for a better one), and I hope you see my point.
Well, for what it matters, unknown is fine by mine. I greylist all of them.
I block unknowns that are in any BLs. I don't directly block hostnames with
dynamic content (only known bad isps), but I do block dynamic helos. I don't
see any problems on what you said.
Re: Botnet plugin
Posted by mouss <mo...@ml.netoyen.net>.
Henrik K a écrit :
> On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
>> Benny Pedersen wrote:
>>
>>> i have changed to use BadRelay from
>>> http://sa.hege.li/BadRelay.pm
>>> http://sa.hege.li/BadRelay.cf
>> After reading BadRelay.pm I see that it does not really replace Botnet.
>>
>> Some of the differences in what is checked are due to Botnet doing
>> DNS-lookups while BadRelay avoids that. That's fair enough since one of
>> the points of BadRelay is to avoid those lookups. It does mean that
>> BadRelay has less info to base decisions on than Botnet though.
>
> Less info only if you are running a sad MTA, that doesn't properly resolve.
not completely true.
$ host 220.174.1.163
163.1.174.220.in-addr.arpa domain name pointer
163.1.174.220.broad.hk.hi.dynamic.163data.com.cn.
$ host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn
Host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn not found: 3(NXDOMAIN)
if you get a message from this IP, postfix will set the name to
"unknown". so you won't detect that the PTR is dynamic.
and "unknown" is also used if there is a dns failure, or if the PTR
doesn't "confirm" (ip -> ptr -> different IP). so you can't treat all
"unknown" similarly.
I know you can block the IP in postfix (I block the whole
dynamic.163data.com.cn), but this is just an example (I'm too lazy to
look for a better one), and I hope you see my point.
> I guess the SOHO rule is exception, but I've never seen a need for it
> myself. You can always whitelist such minority cases by hand.
>
>> One differences is simply due to the fact that all Badrelay does is the
>> simple regexp matches. BadRelay doesn't have Botnet's check for IP in
>> host name, wich it could do without DNS lookups.
>
> Check for IP in hostname? Does anyone have actual stats, that it's somehow
> better than a generic \d+-\d+ regex or whatever? Sometimes it's just better
> to KISS.
>
> Btw, I haven't touched BadRelay in ages, since all these "dynamic" etc
> checks should be done in MTA. I pretty much don't get anything through to SA
> that would get hit by it.
>
>> What would be nice though would be a plugin that:
>> ...
>
> All this should be generic SA stuff.. :) If only someone would have time to
> revamp the current (old) rules.
>
Re: Botnet plugin
Posted by Jonas Eckerman <jo...@frukt.org>.
Henrik K wrote:
> Less info only if you are running a sad MTA, that doesn't properly resolve.
> I guess the SOHO rule is exception,
That was what I meant. :-)
> Check for IP in hostname? Does anyone have actual stats, that it's somehow
> better than a generic \d+-\d+ regex or whatever? Sometimes it's just better
> to KISS.
I don't have any stats now, but I use a similar check in our
selective grey listing and once checked stats for that.
There was a clear difference (catching more fqdns with fewer FPs)
when I changed from a simple check to a more complex one.
(Comparing the fqdn with the IP address allows you to match
patterns that might otherwise lead to FPs.)
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Botnet plugin
Posted by Henrik K <he...@hege.li>.
On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote:
> Benny Pedersen wrote:
>
>> i have changed to use BadRelay from
>
>> http://sa.hege.li/BadRelay.pm
>> http://sa.hege.li/BadRelay.cf
>
> After reading BadRelay.pm I see that it does not really replace Botnet.
>
> Some of the differences in what is checked are due to Botnet doing
> DNS-lookups while BadRelay avoids that. That's fair enough since one of
> the points of BadRelay is to avoid those lookups. It does mean that
> BadRelay has less info to base decisions on than Botnet though.
Less info only if you are running a sad MTA, that doesn't properly resolve.
I guess the SOHO rule is exception, but I've never seen a need for it
myself. You can always whitelist such minority cases by hand.
> One differences is simply due to the fact that all Badrelay does is the
> simple regexp matches. BadRelay doesn't have Botnet's check for IP in
> host name, wich it could do without DNS lookups.
Check for IP in hostname? Does anyone have actual stats, that it's somehow
better than a generic \d+-\d+ regex or whatever? Sometimes it's just better
to KISS.
Btw, I haven't touched BadRelay in ages, since all these "dynamic" etc
checks should be done in MTA. I pretty much don't get anything through to SA
that would get hit by it.
> What would be nice though would be a plugin that:
> ...
All this should be generic SA stuff.. :) If only someone would have time to
revamp the current (old) rules.
Re: Botnet plugin
Posted by Jonas Eckerman <jo...@frukt.org>.
Benny Pedersen wrote:
> i have changed to use BadRelay from
> http://sa.hege.li/BadRelay.pm
> http://sa.hege.li/BadRelay.cf
After reading BadRelay.pm I see that it does not really replace
Botnet.
Some of the differences in what is checked are due to Botnet
doing DNS-lookups while BadRelay avoids that. That's fair enough
since one of the points of BadRelay is to avoid those lookups. It
does mean that BadRelay has less info to base decisions on than
Botnet though.
One differences is simply due to the fact that all Badrelay does
is the simple regexp matches. BadRelay doesn't have Botnet's
check for IP in host name, wich it could do without DNS lookups.
Also, it should be a small and simple change to Botnet in order
to use some of it's functions without making it do it's own DNS
lookups AFAICT. The eval checks "botnet_ipinhostname",
"botnet_clientwords" and "botnet_serverwords" should be able work
without any DNS lookups with this small change. I might do a
patch for this (if there is any interest).
What would be nice though would be a plugin that:
1: Have a simple (for the user) cf option to decide on wether
*any* additional DNS lookups should *ever* be done or not.
2: If told to do lookups, do as many of those as possible
asynchronously, the way SAs DNSL checks are done.
This would require a redesign of the plugins structure though. I
*might* do this (in that case I'd do a completely new plugin
based on Botnet) if I get time for it, but I currently have no
way of knowing when or if that might be.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Posted by Benny Pedersen <me...@junc.org>.
On Thu, January 15, 2009 18:06, Mark Martinec wrote:
> Not to forget the long-standing DNS problem with Botnet:
> http://marc.info/?l=spamassassin-users&m=118641079630268
> http://marc.info/?l=spamassassin-users&m=120783518919154
i have changed to use BadRelay from
http://sa.hege.li/BadRelay.pm
http://sa.hege.li/BadRelay.cf
Thanks goes to Henrik for make this update
>> In a while I'll send a patch to the author.
> That is noble, but apparently it doesn't have any effect.
we can just hope
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Botnet plugin
Posted by Jonas Eckerman <jo...@frukt.org>.
Mark Martinec wrote:
>> In a while I'll send a patch to the author.
> That is noble, but apparently it doesn't have any effect.
When Botnet was known as RelayChecker I made a suggestion to the
author. That suggestion was incorporated in the code.
For some reason I take that as an indicator that my suggestion
did have an effect at that time, and that there is a possibility
that my new suggestion also has an effect (depending on, among
other things, what the author things about it).
I also seem to recall that the author gives credit (in some file
included in the Botnet tar) to a whole bunch of people for
suggestions and/or changes. Presumably at least some of those
suggestions and/or changes did have some kind of effect on the
plugin.
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Posted by John Rudd <jr...@ucsc.edu>.
On Thu, Jan 15, 2009 at 09:06, Mark Martinec <Ma...@ijs.si> wrote:
> Jonas,
>
>> I just found one reason for FPs in the Botnet plugin. It doesn't
>> make a difference between timeouts (and other DNS errors) and
>> negative answers. So if your DNS server/proxy is overloaded (or
>> slow for some other reason), you'll get FPs
>>
>> Since 15 minutes ago, I'm running a slightly modified version of
>> the plugin that tries to avoid this.
>
> Not to forget the long-standing DNS problem with Botnet:
>
> http://marc.info/?l=spamassassin-users&m=118641079630268
> http://marc.info/?l=spamassassin-users&m=120783518919154
>
>> In a while I'll send a patch to the author.
>
> That is noble, but apparently it doesn't have any effect.
Yes, clearly the fact that I didn't get around to fixing something
means that I never accept fixes/suggestions/etc. from external
sources. Botnet has never incorporated any such external submission.
Ever.
Hopefully you're smart enough to detect sarcasm.
Re: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Posted by Mark Martinec <Ma...@ijs.si>.
Jonas,
> I just found one reason for FPs in the Botnet plugin. It doesn't
> make a difference between timeouts (and other DNS errors) and
> negative answers. So if your DNS server/proxy is overloaded (or
> slow for some other reason), you'll get FPs
>
> Since 15 minutes ago, I'm running a slightly modified version of
> the plugin that tries to avoid this.
Not to forget the long-standing DNS problem with Botnet:
http://marc.info/?l=spamassassin-users&m=118641079630268
http://marc.info/?l=spamassassin-users&m=120783518919154
> In a while I'll send a patch to the author.
That is noble, but apparently it doesn't have any effect.
Mark
RE: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Posted by RobertH <ro...@abbacomm.net>.
>
> I just found one reason for FPs in the Botnet plugin. It
> doesn't make a difference between timeouts (and other DNS
> errors) and negative answers. So if your DNS server/proxy is
> overloaded (or slow for some other reason), you'll get FPs
>
> Since 15 minutes ago, I'm running a slightly modified version
> of the plugin that tries to avoid this. In a while I'll send
> a patch to the author.
>
> Apart from this the plugin seems to work fine here with a
> score of +2 (with an extra +1 if p0f says it's a Windows system).
>
> Regards
> /Jonas
>
> --
> Jonas Eckerman, FSDB & Fruktträdet
Jonas,
please send the patch to the list too.... whether or not the author does
anything with it is his business, and then eventually ours.
:-)
it will benefit a lot of people that will choose to use your idea or patch
regardless.
thanks!
- rh
Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)
Posted by Jonas Eckerman <jo...@frukt.org>.
Daniel J McDonald wrote:
> I too found botnet to be a great source of FP. By combining it with p0f
> it's moderately useful.
I just found one reason for FPs in the Botnet plugin. It doesn't
make a difference between timeouts (and other DNS errors) and
negative answers. So if your DNS server/proxy is overloaded (or
slow for some other reason), you'll get FPs
Since 15 minutes ago, I'm running a slightly modified version of
the plugin that tries to avoid this. In a while I'll send a patch
to the author.
Apart from this the plugin seems to work fine here with a score
of +2 (with an extra +1 if p0f says it's a Windows system).
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Temporary 'Replacements' for SaneSecurity
Posted by Matt Garretson <ma...@assembly.state.ny.us>.
Is there any way that a more distributed method of delivering
updates could be more resistant to DDOS attacks? E.g.
trackerless bittorrents (DHT), or something along those lines?
Just wondering in general....
Re: Temporary 'Replacements' for SaneSecurity
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote:
> Rasmus Haslund wrote:
> >> After a loud outcry from our users from the increasing level of spam in
> >> their inboxes, I installed the Botnet >Plugin.
> >>
> > Is this something that can be used with the SA in Icewarp Merak?
> >
>
> Because Rasmus manages a mail server where B2B mail is routinely
> sent/received _globally_, Rasmus is the king of finding FPs. I could be
> wrong, but judging from previous reports about the Botnet Plugin, I
> predict that Rasmus will either (a) find the Botnet Plugin utterly
> unusable due to FPs, or (b) only be able to score it by a point or two
> due to excessive FPs. (Rasmus--by all means--please don't take my word
> for it--try it out and then let us know what happened!)
I too found botnet to be a great source of FP. By combining it with p0f
it's moderately useful.
But sanesecurity would be more useful... a pity we can't replicate the
incremental updates that the official clamav project uses. I seem to
recall that they had problems scaling until they went to that process.
--
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com
Re: Temporary 'Replacements' for SaneSecurity
Posted by Rob McEwen <ro...@invaluement.com>.
Rasmus Haslund wrote:
>> After a loud outcry from our users from the increasing level of spam in
>> their inboxes, I installed the Botnet >Plugin.
>>
> Is this something that can be used with the SA in Icewarp Merak?
>
Because Rasmus manages a mail server where B2B mail is routinely
sent/received _globally_, Rasmus is the king of finding FPs. I could be
wrong, but judging from previous reports about the Botnet Plugin, I
predict that Rasmus will either (a) find the Botnet Plugin utterly
unusable due to FPs, or (b) only be able to score it by a point or two
due to excessive FPs. (Rasmus--by all means--please don't take my word
for it--try it out and then let us know what happened!)
Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
found that the _best_ part about SaneSecurity was its assistance with
catching spam that could NOT ever be caught using _any_ kind of DNSBL.
For example, "419" scam spams sent from the large freemail providers
where the message cannot possibly be blocked because of being sent from
an IP that send large amounts of legit mail and because there is simply
no domain in the body of the message for surbl/uribl/ivmURI to grab
onto. THAT was the best part about SaneSecurity, imo.
Therefore, if someone is missing SaneSecurity, I'd suggest first making
sure they have Sought Rules installed and frequently updating--if not
already running.
QUESTIONS:
Is SaneSecurity still collecting data and generating the rulesets? (but
just not able to distribute them)
Is there any end in sight for the DDOS?
Has anyone tried to mitigate their DDOS? (There is a super-secret list
out there consisting of professionals who work for all the largest ISPs
and security vendors. They have ways to help mitigate these things. They
look for IPs conducting the DDOS, on each of their own networks, and
they simply shut those IPs down at the access point.)
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
RE: Temporary 'Replacements' for SaneSecurity
Posted by Rasmus Haslund <ra...@nowaco.com>.
>After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet >Plugin.
Is this something that can be used with the SA in Icewarp Merak?
NOWACO A/S
Rasmus Haslund
Re: Temporary 'Replacements' for SaneSecurity
Posted by Paul Griffith <pa...@cse.yorku.ca>.
On Wed, 14 Jan 2009 09:23:51 -0500, John Rudd <jr...@ucsc.edu> wrote:
> How's it working for you, so far?
>
>
> On Wed, Jan 14, 2009 at 06:12, Paul Griffith <pa...@cse.yorku.ca> wrote:
>> On Tue, 13 Jan 2009 05:28:42 -0500, si <g_...@yahoo.co.uk> wrote:
>>
>>> Guys,
>>>
>>> I'm sure you're as sad as I am re- temporary suspension of the
>>> brilliant
>>> services offered by Steve Basford and is helpers at Sane Security. In
>>> a sick
>>> kind of way, the 'bad guys' are acknowledging the work these guys have
>>> done
>>> by DOSing them, but that doesn't help much with the daily grind.
>>>
>>> I appreciate that great progress is being mad re- getting the service
>>> back
>>> online again, but in the mean time was wondering ... has anyone found
>>> anything as effective as a temporary replacement or enhancement?
>>>
>>> Thanks
>>>
>>> Mup.
>>>
>>
>> After a loud outcry from our users from the increasing level of spam in
>> their inboxes, I installed the Botnet Plugin.
>>
>> Thanks
>> Paul
>>
I have seen one FP, but the spam level has gone down. We have been running
the Botnet plugin for less than 24 hours.
Thanks
Paul
BTW: I eagerly await the return of Sane Security.
Re: Temporary 'Replacements' for SaneSecurity
Posted by si <g_...@yahoo.co.uk>.
We're already using the BotNet plugin, and it really helps. One or two FPs from time-to-time, but nothing we can't live with. We turned score done in steps to 3.0, in stages, and that seems to be just about right.
FYI - also use DCC, Razor, a relatively well trained bayes database and 'standard' blacklists.
We front-end SA with smf-zombie and smf-greylist milters, and that actually catches most crud before it gets anywhere near SA.
Finally, we wrap everything up with MimeDefang, which deals with all the stuff SA, Clam, and the milters can't cope with.
We're still in pretty good shape, but we certainly notice that the Sane Security stuff isn't there any more.
Mup.
--- On Wed, 14/1/09, John Rudd <jr...@ucsc.edu> wrote:
From: John Rudd <jr...@ucsc.edu>
Subject: Re: Temporary 'Replacements' for SaneSecurity
To: "Paul Griffith" <pa...@cse.yorku.ca>
Cc: g_bsdl@yahoo.co.uk, users@spamassassin.apache.org
Date: Wednesday, 14 January, 2009, 2:23 PM
How's it working for you, so far?
On Wed, Jan 14, 2009 at 06:12, Paul Griffith <pa...@cse.yorku.ca> wrote:
> On Tue, 13 Jan 2009 05:28:42 -0500, si <g_...@yahoo.co.uk> wrote:
>
>> Guys,
>>
>> I'm sure you're as sad as I am re- temporary suspension of the
brilliant
>> services offered by Steve Basford and is helpers at Sane Security. In
a sick
>> kind of way, the 'bad guys' are acknowledging the work these
guys have done
>> by DOSing them, but that doesn't help much with the daily grind.
>>
>> I appreciate that great progress is being mad re- getting the service
back
>> online again, but in the mean time was wondering ... has anyone found
>> anything as effective as a temporary replacement or enhancement?
>>
>> Thanks
>>
>> Mup.
>>
>
> After a loud outcry from our users from the increasing level of spam in
> their inboxes, I installed the Botnet Plugin.
>
> Thanks
> Paul
>
Re: Temporary 'Replacements' for SaneSecurity
Posted by John Rudd <jr...@ucsc.edu>.
How's it working for you, so far?
On Wed, Jan 14, 2009 at 06:12, Paul Griffith <pa...@cse.yorku.ca> wrote:
> On Tue, 13 Jan 2009 05:28:42 -0500, si <g_...@yahoo.co.uk> wrote:
>
>> Guys,
>>
>> I'm sure you're as sad as I am re- temporary suspension of the brilliant
>> services offered by Steve Basford and is helpers at Sane Security. In a sick
>> kind of way, the 'bad guys' are acknowledging the work these guys have done
>> by DOSing them, but that doesn't help much with the daily grind.
>>
>> I appreciate that great progress is being mad re- getting the service back
>> online again, but in the mean time was wondering ... has anyone found
>> anything as effective as a temporary replacement or enhancement?
>>
>> Thanks
>>
>> Mup.
>>
>
> After a loud outcry from our users from the increasing level of spam in
> their inboxes, I installed the Botnet Plugin.
>
> Thanks
> Paul
>
Re: Temporary 'Replacements' for SaneSecurity
Posted by Paul Griffith <pa...@cse.yorku.ca>.
On Tue, 13 Jan 2009 05:28:42 -0500, si <g_...@yahoo.co.uk> wrote:
> Guys,
>
> I'm sure you're as sad as I am re- temporary suspension of the brilliant
> services offered by Steve Basford and is helpers at Sane Security. In a
> sick kind of way, the 'bad guys' are acknowledging the work these guys
> have done by DOSing them, but that doesn't help much with the daily
> grind.
>
> I appreciate that great progress is being mad re- getting the service
> back online again, but in the mean time was wondering ... has anyone
> found anything as effective as a temporary replacement or enhancement?
>
> Thanks
>
> Mup.
>
After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet Plugin.
Thanks
Paul
Re: Temporary 'Replacements' for SaneSecurity
Posted by Sanesecurity <st...@webtribe.net>.
si-12 wrote:
>
> I appreciate that great progress is being mad re- getting the service back
> online again, but in the mean time was wondering ... has anyone found
> anything as effective as a temporary replacement or enhancement?
One rsync server is already up and running and is currently being tested,
with another being added soon, to test round-robin-dns setup.. just need a
little more time :)
As for ClamAV's freshclam... there were (from what I can remember) plans to
have Third-Party signatures, updated via freshclam and using their official
distribution mirrors. Obviously, this would take time to setup.. and may
have issues for how Third-Party signatures are generated.
So, in the mean time... a few round-robin rsync mirrors, IPTable blocks on
IP who have download too much.. is the way it's looking short-term.
For those that haven't already... hop over to sanesecurity.co.uk and sign up
to the list...
Cheers and thanks for all the positive comments,
Steve
Sanesecurity
--
View this message in context: http://www.nabble.com/Temporary-%27Replacements%27-for-SaneSecurity-tp21444618p21459579.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.