----- Original Message ----- From: "Michael Sims" <[EMAIL PROTECTED]> To: "Mark" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, May 30, 2003 3:31 AM Subject: Re: [SAtalk] Maillog analysis
> Quoting Mark <[EMAIL PROTECTED]>: > > > "Look at SMTP connections, and consider all IP addresses spam that, in > > one session, deliver to 4 or more local recipients simultaneously." > > This gave me a good idea for a test I could run in MIMEDefang. I have a > small wrapper in my mimedefang-filter around the spam assassin check, and > I run custom tests and alter the SA score based on these tests. I'm trying > out your theory and for now just copying any message that comes from an > external relay that is addressed to more than 10 recipients at once. I'm > going to see what kind of stuff I catch. My guess is it will be mostly > spam, as you've said. In the end I may decide to score this test at > 1.5-2.0. > > Thanks for the idea! MIMEDefang would, indeed, be an excellent place to implement this, as, on top of spamd, it gives you a bit of extra info on the SMTP session. :) Come to think of it, your implementation of this idea is actually a LOT better than my running a 'sec' post-process of the maillog. Because, since you run MIMEDefang as a wrapper around the spamd process, "whiltelisting" is now simply done within the same spamd process (and does not require an external correction, as in my original set-up). All you basically do, is mark the "bulkiness" (as Justin called it; good term) as suspect, and give it a score amidst other scores. So, thanks for the idea! :) - Mark ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
