You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Cliff Stanford <cl...@may.be> on 2007/07/03 16:39:19 UTC
Botnet over aggressive?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm still a bit vague on how the SpamAssassin rules fit together but
I've noticed that, since upgrading to the latest version, I'm getting a
lot of false positives.
The common cause seems to be Botnet.cf. Where a server has no reverse
DNS, BOTNET_NORDNS scores it as 0.01 but BOTNET adds 5.0 to that. In
addition, RDNS_NONE is adding 0.1 so every mail that lacks reverse dns
is getting a minimum of 5.1.
Is this intended behaviour?
Regards,
Cliff.
- --
Cliff Stanford
Might Limited +44 845 0045 666 (Office)
Suite 67, Dorset House +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGil+XfNTx9pWyKfwRAmC8AJ45pI4cAdwZb1z+PcYOBDO0nMbiIgCfY0Ac
NCcY+rXss72dEeylJAbmLdA=
=i67i
-----END PGP SIGNATURE-----
Re: Botnet over aggressive?
Posted by Cliff Stanford <cl...@may.be>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Rudd wrote:
> The number of messages that get flagged by Botnet but aren't spam is, in
> my observation across a few sites, less than one tenth of one percent.
Funnily enough, the reason this came up is that Botnet was flagging
messages at 5.1 from two British Telcos, Orange and Magrathea.
Both companies have mis-configured reverse DNS.
Regards,
Cliff.
- --
Cliff Stanford
Might Limited +44 845 0045 666 (Office)
Suite 67, Dorset House +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGjRAlfNTx9pWyKfwRAlzNAKDJRs31f7eXPysO8bK6lldYvYl3NACfd4cI
KclowUqK7XmbHUU51YtgFaY=
=SW0C
-----END PGP SIGNATURE-----
Re: Botnet over aggressive?
Posted by John Rudd <jr...@ucsc.edu>.
Alex Woick wrote:
> John Rudd wrote:
>
>> Botnet's score of 5 is meant to say "this message should be
>> quarantined or flagged for review". It's not saying "this message is
>> _definitely_ spam".
>
> In my opinion, this is not quite according to the concept of
> SpamAssassin. SA has a bunch of rules that give qualified hints about
> the spamminess of a message. One hint alone is never enough, it always
> takes some of them until a threshold (5) is crossed and above that the
> message is considered spam. The more hints, the higher the spamminess.
> This works so good that I trust the hints if the score is above 10.
> These messages end up in a very seldomly accessed "sure spam" folder
> that is auto-purged. Messages from 5 to 10 gets moved to a "probably
> spam" folder that I inspect once a week perhaps. But I always consider
> these messages as spam with a solitary false positive that slips there.
> The philosophy behind SA suggests this approach, in my opinion.
>
> Botnet doesn't fit this philosophy - its score is way too high and the
> false positive probability is also too high to justify that a message is
> condemned as spam on one single rule. In my opinion, its default
> configuration should be according to SA defaults, so its score should be
> something between 1.5 and 3. If the message is spam, other rules most
> certainly also hit and push it above 5. If the message is ham, no harm
> is done and it is not denounced as spam.
>
> No offense meant - only my point of view.
You say it doesn't fit your philosophy of how to use spam assassin, yet
your mechanism is exactly the same as mine:
score between 5 and 10 is merely "probably spam". Above 10 is
"definitely spam".
I reject during SMTP at 10 or greater, and I put it into a quarantine
folder for 5 <= score < 10.
In my experience, the _VAST_ Majority of messages that Botnet flags are
"probably spam" (actually, the fact majority ARE spam). That fits your
own philosophy of the 5-10 range.
The number of messages that get flagged by Botnet but aren't spam is, in
my observation across a few sites, less than one tenth of one percent.
No offense taken. I just think your opinion is self-contradictory. The
only thing that isn't contradicted by your statement is that you think
it shouldn't all rest in one test. Yet, there are plenty of anti-spam
mechanism that do just fine putting it all in one test (using RBL's at
the MTA level, Greylisting, Greet-Pause, etc.). Botnet is just another
one of those.
Re: Botnet over aggressive?
Posted by John Andersen <js...@pen.homeip.net>.
On Wednesday 04 July 2007, Alex Woick wrote:
> One hint alone is never enough, it always
> takes some of them until a threshold (5) is crossed
Except in the case where ONE hint IS enough.
(For some values of "hint" and some values of "enough".
For instance, a high Razor2 score (the hint) is enough
(IMHO) for me to tag the mail with a high enough score
to get it to the spam bin. Any additional hints may push it
up to my instant /dev/nul threshold, but high razor2 confidence
is Enough for me.
--
_____________________________________
John Andersen
Re: Botnet over aggressive?
Posted by Alex Woick <al...@wombaz.de>.
John Rudd wrote:
> Botnet's score of 5 is meant to say "this message should be quarantined
> or flagged for review". It's not saying "this message is _definitely_
> spam".
In my opinion, this is not quite according to the concept of
SpamAssassin. SA has a bunch of rules that give qualified hints about
the spamminess of a message. One hint alone is never enough, it always
takes some of them until a threshold (5) is crossed and above that the
message is considered spam. The more hints, the higher the spamminess.
This works so good that I trust the hints if the score is above 10.
These messages end up in a very seldomly accessed "sure spam" folder
that is auto-purged. Messages from 5 to 10 gets moved to a "probably
spam" folder that I inspect once a week perhaps. But I always consider
these messages as spam with a solitary false positive that slips there.
The philosophy behind SA suggests this approach, in my opinion.
Botnet doesn't fit this philosophy - its score is way too high and the
false positive probability is also too high to justify that a message is
condemned as spam on one single rule. In my opinion, its default
configuration should be according to SA defaults, so its score should be
something between 1.5 and 3. If the message is spam, other rules most
certainly also hit and push it above 5. If the message is ham, no harm
is done and it is not denounced as spam.
No offense meant - only my point of view.
Re: Botnet over aggressive?
Posted by John Rudd <jr...@ucsc.edu>.
Cliff Stanford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michele Neylon :: Blacknight wrote:
>
>> This is one of the reasons why using SA is so cool - you can customise
>> it to suit your needs!
>
> Thanks all for all your most helpful responses.
>
> I have edited the Botnet.cf file to reduce the score, for the time
> being. But is this the right way to do it or should I be creating
> another file somewhere?
>
> Regards,
> Cliff.
That's the intended way to do it.
Re: Botnet over aggressive?
Posted by Mi...@herse.apache.org,
"N...@herse.apache.org,
Blacknight Solutions <mi...@blacknight.ie>.
Cliff Stanford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michele Neylon :: Blacknight wrote:
>
>> This is one of the reasons why using SA is so cool - you can customise
>> it to suit your needs!
>
> Thanks all for all your most helpful responses.
>
> I have edited the Botnet.cf file to reduce the score, for the time
> being. But is this the right way to do it or should I be creating
> another file somewhere?
>
It's a custom addon / ruleset, so that would be the correct place to
customise in my view
Michele
Re: Botnet over aggressive?
Posted by Cliff Stanford <cl...@may.be>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michele Neylon :: Blacknight wrote:
> This is one of the reasons why using SA is so cool - you can customise
> it to suit your needs!
Thanks all for all your most helpful responses.
I have edited the Botnet.cf file to reduce the score, for the time
being. But is this the right way to do it or should I be creating
another file somewhere?
Regards,
Cliff.
- --
Cliff Stanford
Might Limited +44 845 0045 666 (Office)
Suite 67, Dorset House +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGi8vdfNTx9pWyKfwRAivkAJ9E4PCc1rBYugydN5vbk7n9GYm5uQCcCmcq
9pwZpEDD0oB10bU6V9B1ZfQ=
=1DM7
-----END PGP SIGNATURE-----
Re: Botnet over aggressive?
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
My take on botnet scoring, like that of any "custom" rule is that I can
change the scoring to suit my requirements.
Considering the kind of users we deal with adding in the "default"
scores would have caused a lot of headaches, so I actually tested it
with scores of 0 on all to see how many hits they were getting.
This is one of the reasons why using SA is so cool - you can customise
it to suit your needs!
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59 9183072
UK: 0870 163 0607
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Botnet over aggressive?
Posted by John Rudd <jr...@ucsc.edu>.
René Berber wrote:
> John Rudd wrote:
>
>> Botnet's score of 5 is meant to say "this message should be quarantined
>> or flagged for review". It's not saying "this message is _definitely_
>> spam".[snip]
>
> The trouble is redundancy in scores, the BOTNET score is usually just the start
> of a HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR plus RDNS_DYNAMIC or
> RDNS_NONE and RCVD_IN_PBL,RCVD_IN_SORB ... long list.
>
> So, unless one disables the redundant scores, the other option is to lower the
> BOTNET score. The first procedure is better but needs more work (which ones are
> the redundant rules?), the second procedure is easy and that's why most of us
> use it.
There's a couple things that come to mind here:
1) I have no problem with people lowering BOTNET's score. Different
people have different concepts of what a "score of 5+" means (definitely
spam, quarantine as suspicious, etc.). Set it at whatever score works
for you.
2) I think if you're getting hits on LOTS of overlapping rule concepts,
then the problem isn't with the individual rule's score. It's something
else (it's really spam? the sender site is mismanaged in one way or
another? etc.).
3) overlapping rule concepts isn't a bad thing. They each use a
different technique, and some will catch ones that that the others
don't. For example, I expect that PBL catches a TON of stuff that
Botnet also catches. But there will be some that PBL catches that
Botnet wont, and perhaps visa-versa. So, I wouldn't eliminate either one.
Re: Botnet over aggressive?
Posted by René Berber <r....@computer.org>.
John Rudd wrote:
> Botnet's score of 5 is meant to say "this message should be quarantined
> or flagged for review". It's not saying "this message is _definitely_
> spam".[snip]
The trouble is redundancy in scores, the BOTNET score is usually just the start
of a HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR plus RDNS_DYNAMIC or
RDNS_NONE and RCVD_IN_PBL,RCVD_IN_SORB ... long list.
So, unless one disables the redundant scores, the other option is to lower the
BOTNET score. The first procedure is better but needs more work (which ones are
the redundant rules?), the second procedure is easy and that's why most of us
use it.
--
René Berber
Re: Botnet over aggressive?
Posted by John Rudd <jr...@ucsc.edu>.
Botnet's score of 5 is meant to say "this message should be quarantined
or flagged for review". It's not saying "this message is _definitely_
spam".
Lots of people lower its score to something like 2-3 if they feel it's
too aggressive. I keep it at a 5, and have VERY FEW false positives.
When I encounter those, I:
1) send email to the postmaster/abuse/hostmaster of the sending mail
domain an d sending server (via whois on the IP address), and tell them
that they have a DNS problem
2) whitelist the sending IP address
And then move on.
Cliff Stanford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm still a bit vague on how the SpamAssassin rules fit together but
> I've noticed that, since upgrading to the latest version, I'm getting a
> lot of false positives.
>
> The common cause seems to be Botnet.cf. Where a server has no reverse
> DNS, BOTNET_NORDNS scores it as 0.01 but BOTNET adds 5.0 to that. In
> addition, RDNS_NONE is adding 0.1 so every mail that lacks reverse dns
> is getting a minimum of 5.1.
>
> Is this intended behaviour?
>
> Regards,
> Cliff.
> - --
> Cliff Stanford
> Might Limited +44 845 0045 666 (Office)
> Suite 67, Dorset House +44 7973 616 666 (Mobile)
> Duke Street, Chelmsford, CM1 1TB
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGil+XfNTx9pWyKfwRAmC8AJ45pI4cAdwZb1z+PcYOBDO0nMbiIgCfY0Ac
> NCcY+rXss72dEeylJAbmLdA=
> =i67i
> -----END PGP SIGNATURE-----
>
Re: Botnet over aggressive?
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm still a bit vague on how the SpamAssassin rules fit together but
> I've noticed that, since upgrading to the latest version, I'm getting a
> lot of false positives.
>
> The common cause seems to be Botnet.cf.
Botnet is very aggressive by default. Combining it with p0f it is
almost useful. setting up p0f support is a non-trivial exercise, for
which there are good articles in the archives that would explain it much
better than I could do here.
My rules are:
meta BOTNET_WXP !DKIM_VERIFIED && !DK_VERIFIED && L_P0F_WXP &&
(BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_WXP 3.2
meta BOTNET_W !DKIM_VERIFIED && !DK_VERIFIED && ( L_P0F_W ||
L_P0F_UNKN) && (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) > 0
score BOTNET_W 2.0
meta BOTNET_OTHER !BOTNET_W && (BOTNET_CLIENT+BOTNET_BADDNS
+BOTNET_NORDNS) > 0
score BOTNET_OTHER 0.5
I'm still getting a trickle of false positives, but that seems to be
much more realistic than 5 for everything.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com