I've noticed that my Relay counts have definitely been on the downturn. It doesn't seem to be the spammer's weapon of choice anymore. Maybe you shouldn't be worried about relays as much?
The goal of my three tests is mostly to counteract one false positive possibly from Message Sniffer. In general they are good e-mails, with some possible minor server config errors that'll send them into the tagged category with a minor hit and Sniffer hit. Spam seen from these test has been one questionable mail out of 3165 in May. And that was advertising university clothes, so it could go either way. One counteract could be to end the tests on a relay test hit, a DYNA hit probably not an ALL hit. Looking at my June numbers to see about items that hit relays (AHBL, ORDB, NJABL, SORBS) 23 good e-mails (most from an .edu that got credit on my edu filter and failed the ordb-all test) 2 that landed in hold (288 and 294 points, oh so close to that 300 delete) 462 that were deleted. Looking at these numbers, relay spam detection is doing very well. At least from known relays. Sometimes I've wondered if a Number of hops variable would be good to have for filters. If it came to my server from a .gov in one hop, I'd be more tempted to believe it. The DNS mailfrombl / IP list sounds like it is the safest whitelisting technique, but it also sounds like a lot of work to maintain. New hires, people leaving, new e-mail addresses, lots of changes, lots of work. Even maintaining the IP list can be work. I've changed ISP's three times in five years. Each time thinking how much lower can the price go. I'd love to be out of the maintaining black/white lists mode. As for semi-trusted domains, I go back to the thought that you aren't going to whitelist them, you only really need to credit them enough points to get them past one potential false positive. If it fails a chunk of tests as SPAM, that credited weight won't really make much of a difference. For me it ends up in hold for a week instead of being deleted, not preferred but livable. I don't know if you can go trusting gov agencies / universities to not be a relay. I get plenty of gov mail that has no reverse DNS. A pretty basic thing there. I've often wonder what to whitelist myself. I currently only whitelist the mailing lists that I belong to. I know increasing the whitelist amount would help the server. I've even pondered asking the question what to whitelist on the mailing list. I do a fair amount of crediting mail some points. I credit on revdns, subject, body and if I have to mailfrom for terms or products that directly apply to my company. Surprisingly the subject and body work pretty well. The revdns needs occasional tweaking and the mailfrom is almost under constant surveillance (but it is the least credit points). One technique I do use is I've created a filter-bypass filter. This has tests that are most likely to be close (very close) to 100% non-spam. I have bonded-sender, my subject, body, and revdns credit filters, your size filters for larger e-mails, and various friendly companies (usually revdns). I then put an testfailed end contains filter-bypass in the filters that I really don't want to run for these more-trusted e-mails. Mostly these are the body filters. I only need to maintain this list in one area. I used to do END statements in all of my filters and updating them was a pain. Now one statement ends across all of the body filters (while most, virus hoax, phish and malware filters always get run). Sorry I'm rambling... Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/04/04 04:22PM >>> Scott, This goes along the lines of something that I have been wondering about recently, trying to find a pseudo-whitelisting method that isn't likely to be exploited. The issue that I primarily find is that some open relays are that way because they will accept any local Mail From and relay for it, in fact this is the most common open-relay creating mistake that IMail users have. This means that when such a relay is being exploited, they are using an address from the same machine to send their spam. So for instance if mx1.mailpure.com was an open relay set to accept all local addresses, someone could send out spam as [EMAIL PROTECTED] This seems to make the idea of trusting a combination of HELO, MAILFROM, REVDNS and REMOTEIP unsecure, or unworthy of credit because all of these things would look exactly the same when being used legitimately as opposed to when it is being exploited. I wouldn't argue that it isn't worth a small percentage of credit, but I'm thinking right now that I can't whitelist this way. I am however unsure about how common such things are, i.e. how often are open relays exploited with local Mail From's. Any hints to the answer would be appreciated. Also note that this is an issue that SPF shares and in fact it can be worse since you can't pick and choose the systems that you are trusting. In fact, I believe that spammers may start to seek out the match for their own benefit in the future when they compromise certain systems. If SPF is successful and widely implemented, then the exploits will surely come. As things stand, static spammers are already using SPF records themselves, and that seemingly has ruined much of the value that could be provided by way of crediting a pass. For the time being, I've started to build a DNS zone that uses not the %MAILFROM% but instead the %MAILFROMBL% which uses the whole E-mail address but replaces the @ with a dot. I'm combining this with the IP in IP4R format (reversed dotted quad). I believe that this is worthy of whitelisting with that degree of accuracy (full E-mail plus IP), but I do very much desire a way to whitelist E-mail from semi-trusted servers. Do I go with the %MAILFROM% only (the domain in combination with the IP) and just hope that the admins never become open relays? Or maybe there's a better method? Any thoughts? Matt Scott Fisher wrote: >My company gets lots of e-mail from state agencies. > >Here's a filter that has been working good to credit good gov (mailfrom and revdns >both .us) >I set the negative weight to credit enough points to counteract a one hit from a >strong test like sbl/sniffer/spamcop. > >I've seen virus bounces get credit, which is why I end if testsfailed contains >anti-av. > ># ========================================================== ># > # ># If mailfrom and revdns both end in .us, it's looking good > # ># Then credit state abbreviations 60 points > # ># > # ># > # ># ========================================================== ># ># If Virus Warning don't give points ># >TESTSFAILED END CONTAINS ANTI-AV > ># ># End if not .us ># >MAILFROM END NOTENDSWITH .us >REVDNS END NOTENDSWITH .us >MAILFROM END IS <> > ># ># Whitelist proper states with 60 points ># > >MINWEIGHT -60 >MAILFROM -60 ENDSWITH .al.us >MAILFROM -60 ENDSWITH .ak.us >MAILFROM -60 ENDSWITH .az.us >MAILFROM -60 ENDSWITH .ar.us >MAILFROM -60 ENDSWITH .ca.us >MAILFROM -60 ENDSWITH .co.us >MAILFROM -60 ENDSWITH .ct.us >MAILFROM -60 ENDSWITH .dc.us >MAILFROM -60 ENDSWITH .de.us >MAILFROM -60 ENDSWITH .fl.us >MAILFROM -60 ENDSWITH .ga.us >MAILFROM -60 ENDSWITH .gu.us >MAILFROM -60 ENDSWITH .hi.us >MAILFROM -60 ENDSWITH .id.us >MAILFROM -60 ENDSWITH .il.us >MAILFROM -60 ENDSWITH .in.us >MAILFROM -60 ENDSWITH .ia.us >MAILFROM -60 ENDSWITH .ks.us >MAILFROM -60 ENDSWITH .ky.us >MAILFROM -60 ENDSWITH .la.us >MAILFROM -60 ENDSWITH .me.us >MAILFROM -60 ENDSWITH .md.us >MAILFROM -60 ENDSWITH .ma.us >MAILFROM -60 ENDSWITH .mi.us >MAILFROM -60 ENDSWITH .mn.us >MAILFROM -60 ENDSWITH .ms.us >MAILFROM -60 ENDSWITH .mo.us >MAILFROM -60 ENDSWITH .mt.us >MAILFROM -60 ENDSWITH .ne.us >MAILFROM -60 ENDSWITH .nv.us >MAILFROM -60 ENDSWITH .nh.us >MAILFROM -60 ENDSWITH .nj.us >MAILFROM -60 ENDSWITH .nm.us >MAILFROM -60 ENDSWITH .ny.us >MAILFROM -60 ENDSWITH .nc.us >MAILFROM -60 ENDSWITH .nd.us >MAILFROM -60 ENDSWITH .oh.us >MAILFROM -60 ENDSWITH .ok.us >MAILFROM -60 ENDSWITH .or.us >MAILFROM -60 ENDSWITH .pa.us >MAILFROM -60 ENDSWITH .pr.us >MAILFROM -60 ENDSWITH .ri.us >MAILFROM -60 ENDSWITH .sc.us >MAILFROM -60 ENDSWITH .sd.us >MAILFROM -60 ENDSWITH .tn.us >MAILFROM -60 ENDSWITH .tx.us >MAILFROM -60 ENDSWITH .ut.us >MAILFROM -60 ENDSWITH .vt.us >MAILFROM -60 ENDSWITH .va.us >MAILFROM -60 ENDSWITH .vi.us >MAILFROM -60 ENDSWITH .wa.us >MAILFROM -60 ENDSWITH .wv.us >MAILFROM -60 ENDSWITH .wi.us >MAILFROM -60 ENDSWITH .wy.us > > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
