[Mimedefang] SNARE spam detection

David F. Skoll dfs at roaringpenguin.com
Wed Jul 29 17:16:24 EDT 2009

- wrote:

> If a non-spammer happens to be co-located in a spam-friendly
> environment, I don't see how this assumption can be universally
> true.  True spammers may cluster, but virtual botnets don't.  Expect
> false positives here.

Yes, for sure.  However, it can be useful as a Bayes token, maybe, or
as a rule adding a couple of points.


> Way WRONG.  Many servers restrict ALL except that which is permitted
> (at the firewall level).  Therefore, all but a handful of ports
> should appear open.  Few ports open is indicative of a PROPER
> FIREWALL that employs no hostile countermeasures.

Yeah, the port scanning seemed fishy to me.  It could be that
they only scan a few "well-known" bot control ports.



More information about the MIMEDefang mailing list