Re: SpamAssassin-Milter accuracy...
On 01/04/05 08:59 PM, Ted Mittelstaedt sat at the `puter and typed: SNIP The only problem with doing this is that you have to completely receive the e-mail message before SA can check it against the blacklists. We do the blacklist checks at the MTA level and turn them off in SA. As a result the e-mail is never accepted by the server if it's in a blacklist. As a result of that if the spam is coming from a compromised mailserver then that mailserver will just requeue the message. And with everyone on the Internet doing this, it will make the compromised mailserver melt down immediately, which will punish the admin of it for running an open mailserver in the first place. Whether this is the Right Thing To Do may be debatable, but I think you leave yourself open to rejecting legitimate email on the word of an overzealous blacklister. I read somewhere recently that some lists had been known to blacklist servers simply because their admin was critical of their listing criteria. This is third hand, of course, but you have to accept that blacklists have been compiled with very objective criteria, and usually by overzealous anti-spammers. Even those that have automated criteria often rely on unconfirmed reports to blacklist an IP. Believe me, I'm all for thumping the spammers - and I mean hard. I was giddy when I read the story on the little ISP that was awarded $1 Billion from a spammer that kept their network on its knees for months. Still, it's probably not a good thing to run over innocent pedestrians to get them. I know an open relay isn't necessarily an innocent pedestrian - more like a careless admin, but they're still being victimized by the spammer too. Not to say you shouldn't reject spam, but there are more reliable ways, like amavis-new, which will check the message through SpamAssassin, and reject at the MTA it if the threshold is high enough. It may be a little more load on your MTA, but you're rejecting email because it's spam, not because someone has blackballed the originator. That message still gets requeued on the relay, so the effect is still an overloaded server. I tried Amavis-new for SA checks at one point, and it works very nicely. I turned the spam checking off because I didn't like that it was using global configs and preferences - I prefer per-user settings because my mother and wife are signed up for mailings that set off a lot of SA flags. My Bayes DB is much better trained than theirs, and I've got my threshold much lower (I use 2.0 with maybe 1 FP 20 FNs per 100,000 messages). Not to say you can't rescan, or just resort based on the score assigned through amavisd, but I'm more inclined to put it aside and make darn sure it's spam myself. So Amavis scans email through the virus tools and leaves Spam checking to Procmail and SA. I do use the blackholes (check http://blackholes.us) at the MTA, since rejecting mail outright from Asian (and a few African) countries has reduced my spam intake by about 80%, without reducing my legitimate mail by a single message. Since I'm not running a service for other people, and I carefully choose the blackhole domains I use, it's not a problem for me. Of course, that may not be an option for you. Someday I'll stop this practice, but for now some of my doors are just plain closed. We don't use blackholes.us although I'll take a look at it. About 50% of our incoming spam is blocked by the blacklist servers we do use. I like the blackholes. They have the upside of qualifying simply by their country of origin. They also have the downside of qualifying simply because of their country of origin. If you use them, you can be fairly certain that you are only refusing connections - all connections - from the country you intended. The criteria is much more concrete than the blacklists, and the lists are much more stable. As I mentioned, I don't have acquaintances and don't do business with anyone in Asia, so I feel fine simply not accepting email from the biggest source of my spam. When I turned them back on with my new server, my spam instantly went down by 75%. That's after using them on my domains for over 2 years, and running my new server without them for a few weeks. Had I kept them off longer, I have no doubt the stream would have increased - when I turned them on 2 years ago, my spam went down by almost 95% in a matter of minutes, and over the years the stream of rejects has diminished slowly. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ White dwarf seeks red giant for binary relationship. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SpamAssassin-Milter accuracy...
Louis LeBlanc wrote: Use with care. Some spam rbls are overly zealous, and often block out whole netblocks just because one IP has been reported as an offender. And all dialup networks. Which can lead to the bizarre situation that if you're relaying through your mail server from a dialup IP, and mail goes thru SA, you'll get a high score. There're several ways to prevent this from happening, of course, for example, to run an extra smtpd on a nonstandard port that doesn't push mails through SpamAssassin, or just to disable the damn RBL stuff in the SA config (I did both, greylisting is more effective than the suspicious RBL stuff anyways). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SpamAssassin-Milter accuracy...
On 01/04/05 05:17 PM, Matthias Buelow sat at the `puter and typed: Louis LeBlanc wrote: Use with care. Some spam rbls are overly zealous, and often block out whole netblocks just because one IP has been reported as an offender. And all dialup networks. Which can lead to the bizarre situation that if you're relaying through your mail server from a dialup IP, and mail goes thru SA, you'll get a high score. There're several ways to prevent this from happening, of course, for example, to run an extra smtpd on a nonstandard port that doesn't push mails through SpamAssassin, or just to disable the damn RBL stuff in the SA config (I did both, greylisting is more effective than the suspicious RBL stuff anyways). This includes most dynamically allocated IP blocks. The only way to avoid getting tagged and/or outright rejected by some networks is to relay through the ISPs relay. It's because of this that I don't use the spamblock RBLs at the MTA level. SA works almost perfectly with it's own clearing house checks (NJABL, SORBS, SPAMCOP, etc.) and modifies the score for each. I've dug up some recipes that will further compound scores for multiple of these clearing houses too, so you get bonus points for getting reported to 3 or more :) I do use the blackholes (check http://blackholes.us) at the MTA, since rejecting mail outright from Asian (and a few African) countries has reduced my spam intake by about 80%, without reducing my legitimate mail by a single message. Since I'm not running a service for other people, and I carefully choose the blackhole domains I use, it's not a problem for me. Of course, that may not be an option for you. Someday I'll stop this practice, but for now some of my doors are just plain closed. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Volley Theory: It is better to have lobbed and lost than never to have lobbed at all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: SpamAssassin-Milter accuracy...
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Louis LeBlanc Sent: Tuesday, January 04, 2005 9:09 AM To: freebsd-questions@freebsd.org Subject: Re: SpamAssassin-Milter accuracy... On 01/04/05 05:17 PM, Matthias Buelow sat at the `puter and typed: Louis LeBlanc wrote: Use with care. Some spam rbls are overly zealous, and often block out whole netblocks just because one IP has been reported as an offender. And all dialup networks. Which can lead to the bizarre situation that if you're relaying through your mail server from a dialup IP, and mail goes thru SA, you'll get a high score. There're several ways to prevent this from happening, of course, for example, to run an extra smtpd on a nonstandard port that doesn't push mails through SpamAssassin, or just to disable the damn RBL stuff in the SA config (I did both, greylisting is more effective than the suspicious RBL stuff anyways). This includes most dynamically allocated IP blocks. The only way to avoid getting tagged and/or outright rejected by some networks is to relay through the ISPs relay. It's because of this that I don't use the spamblock RBLs at the MTA level. SA works almost perfectly with it's own clearing house checks (NJABL, SORBS, SPAMCOP, etc.) and modifies the score for each. I've dug up some recipes that will further compound scores for multiple of these clearing houses too, so you get bonus points for getting reported to 3 or more :) The only problem with doing this is that you have to completely receive the e-mail message before SA can check it against the blacklists. We do the blacklist checks at the MTA level and turn them off in SA. As a result the e-mail is never accepted by the server if it's in a blacklist. As a result of that if the spam is coming from a compromised mailserver then that mailserver will just requeue the message. And with everyone on the Internet doing this, it will make the compromised mailserver melt down immediately, which will punish the admin of it for running an open mailserver in the first place. I do use the blackholes (check http://blackholes.us) at the MTA, since rejecting mail outright from Asian (and a few African) countries has reduced my spam intake by about 80%, without reducing my legitimate mail by a single message. Since I'm not running a service for other people, and I carefully choose the blackhole domains I use, it's not a problem for me. Of course, that may not be an option for you. Someday I'll stop this practice, but for now some of my doors are just plain closed. We don't use blackholes.us although I'll take a look at it. About 50% of our incoming spam is blocked by the blacklist servers we do use. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SpamAssassin-Milter accuracy...
Hello list, I recently had to rebuild my server (bad surge protector, all hardware died). I've reinstalled spamass-milter from ports, but I don't remember what I put in my old local.cf file for it to work so well before. I've pretty much got the base config file. Can some of you share your local.cf files with me, so I can figure out what I'm missing? I used to have maybe one or two emails get through a day, now I'm getting about 20-30 getting through spamassassin, of those, 15-20 are being caught by Apple's Mail.app. Thanks. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: SpamAssassin-Milter accuracy...
Eric you'll prob need to retrain the bayes filters ( or a good starter at www.fsl.com/support). also alot of rules from the www.rulesemporium.com/rules.html can be useful. Might want to look at some of the RBL.s and esp the URI rbl provided by surbl.org and built into SA3.x Could ask on the sa-user list and backup the config:-) -- Martin On Mon, 3 Jan 2005 11:52:25 -0600, Eric F Crist [EMAIL PROTECTED] wrote: Hello list, I recently had to rebuild my server (bad surge protector, all hardware died). I've reinstalled spamass-milter from ports, but I don't remember what I put in my old local.cf file for it to work so well before. I've pretty much got the base config file. Can some of you share your local.cf files with me, so I can figure out what I'm missing? I used to have maybe one or two emails get through a day, now I'm getting about 20-30 getting through spamassassin, of those, 15-20 are being caught by Apple's Mail.app. Thanks. ___ Eric F Crist I am so smart, S.M.R.T! Secure Computing Networks -Homer J Simpson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SpamAssassin-Milter accuracy...
On 01/03/05 08:34 PM, Martin Hepworth sat at the `puter and typed: Eric you'll prob need to retrain the bayes filters ( or a good starter at www.fsl.com/support). also alot of rules from the www.rulesemporium.com/rules.html can be useful. I believe that's actually www.rulesemporium.com/rules.htm - the .html is 404. Might want to look at some of the RBL.s and esp the URI rbl provided by surbl.org and built into SA3.x Use with care. Some spam rbls are overly zealous, and often block out whole netblocks just because one IP has been reported as an offender. Could ask on the sa-user list You have to subscribe - the list is now closed because the nature of the traffic necessitates piping the list mail around SA. Because of this, spammers always knew they could get by spamassassin by sending to the list. and backup the config:-) Definitely. And you might also want to keep a spam sampler around for just such a case. This can be used to get your bayes learner back up to speed a little quicker. IIRC, the bayes learner needs a minimum number of messages to learn from before it will kick in and start working. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Hlade's Law: If you have a difficult task, give it to a lazy person -- they will find an easier way to do it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
