> -----Original Message-----
> From: Michael Monnerie [mailto:[EMAIL PROTECTED]
> That sounds interesting.
>
> > Also, for us SpamAssassin in is TOO LATE in the chain 95% of
> the time.
> > We've already greylisted most things by the time SA runs (and thus
> > avoid the expense of SA processing if the mail is not from a
> > reasonably functional SMTP server.)
>
> Is SA before or after greylist?
Both. Allow me to clarify...
> I'm not sure I understood you. You do
> - reject on some hard criteria
Yes.
> - check RBLs, SA assign scores
Not quite. checking RBLs and other "soft" criteria
(but NOT SA yet), greylist if matches occur.
> - if some SA hit, greylist
Yes, but only for the smaller portion of emails
which make it this far.
For those messages that are never greylisted by
the initial checks, or which return after greylisting
we check SA.
For those which SA scores beyond a certain threshold
(might be greater or less than actual Spam threshold)
we greylist -- but only those that have not already
made it past greylisting due to those RBL and other
soft criteria.
The (near) full sequence is this (missing are most
of the various whitelists that will bypass a step):
Hard checks -- reject
RBL and soft checks during up to RCPT time
greylist if suspicious
(Virus checks and illegal file attachments,
e.g, .pif -- reject
SA check
if threshold exceeded and NOT previously
greylisted, then greylist
(SA is bypassed for some mailing lists
which discuss spam itself.)
Also there are some additional hard checks on
subject words, charsets/encodings but these
are only performed on messages which exceed
a (separate) SA threshold
Example: If something is 30+ points spammy then
if the charset is from Russian we don't likely
want it, even though I, formerly, spoke a
little Russian and can read the charset passably.
If a message gets by all this and is spammy then
drop it into one of two "spam catch accounts" for review.
There are two such accounts, one for likely spam
and the other for "high score" spam. This division
makes review much easier.
I hope that is clear -- it is difficult to state plainly
since much of this is predicated on previous tests...
--
Herb Martin
