John Hardin <jhar...@impsec.org> writes:
> On Fri, 19 Jun 2020, micah anderson wrote:
>
>> So, what can I do to tweak these rules to score things up more,
>> specifically the rules that provide a low false positive rate[1]. This
>> seems something that should be done programmatically, and not
>> manually. It seems like what 'masscheck' maybe does generically for all
>> rules for all installations, but can I use that to just adjust our rules
>> for our particular breed of spam that comes through?
>
> How about: analyze your spamtrap for recent source IP addresses on a
> quick schedule (hourly?) and drive a local DNSBL from IPs seen more than
> 2-3 times in the last 24-48 hours?
Interesting possibility... but if I look at the current batch that made
it through, I see:
1. amazon aws
2. gmail (amusingly saying my amazon prime membership is going to
expire)
3. mailchimp
4. yahoo.com
all of those would not be good to block :(
Its not always like that, but it does happen.
--
micah
