We also keep track of the blocking history of the sending IP if inbound or real user if outbound, and scale the time we block up for repeat senders as well as becoming more sensitive.
Like this:
If a user who we have not blocked in the last 30 days starts sending high spam score messages they could send a fair number before we block them, and the initial block might be for 15 minutes (we are still playing with this figure). After they are unblocked they start again, we erspond faster and block for one hour. After the third block in one day we are hitting them on the FIRST message...so nothing is going out.
But it is self-healing - they wait an hour and send a normal message it goes right out.
We are also working on improving the message we send to the infected user when they are our email user - let them know it is likely a worm, include links to free scanners etc.
----- Original Message ----- From: "Les Mikesell" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, February 18, 2005 12:55 AM
Subject: Re: [Mimedefang] Scary... Filtering on the outbound.
On Thu, 2005-02-17 at 21:47, John Scully wrote:
A sub could send a few emails scoring anything (could be a personal
porn-o-gram to someone :) but the higher the number of messages the lower
the average score can be to trigger blocking. Rate of transmission also
weights the decision - sending 100 in a few minutes is treated like sending
1,000 over a longer time.
Are you looking at the number of recipient addresses or the number of messages for this test? Or does the current crop of spam-worms generally send a message per recipient?
-- Les Mikesell [EMAIL PROTECTED]
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
This message scanned for viruses by Lifegiver.net For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
