[Mimedefang] SNARE spam detection
David F. Skoll
dfs at roaringpenguin.com
Wed Jul 29 17:16:24 EDT 2009
> If a non-spammer happens to be co-located in a spam-friendly
> environment, I don't see how this assumption can be universally
> true. True spammers may cluster, but virtual botnets don't. Expect
> false positives here.
Yes, for sure. However, it can be useful as a Bayes token, maybe, or
as a rule adding a couple of points.
> Way WRONG. Many servers restrict ALL except that which is permitted
> (at the firewall level). Therefore, all but a handful of ports
> should appear open. Few ports open is indicative of a PROPER
> FIREWALL that employs no hostile countermeasures.
Yeah, the port scanning seemed fishy to me. It could be that
they only scan a few "well-known" bot control ports.
More information about the MIMEDefang