> On Thu, Apr 22, 2010 at 1:48 PM, Kaleb Hosie > <kho...@spectraaluminum.com> wrote: > > Another (more automated way) is to use the following command: > > spamassassin -r < the_spam_message_file > > Thanks for that info! I think the 'automated' suggestion sounds very > nice! When I submit it using 'SA' command, does it get routed to > Spamhaus or SpamCop or none of the above? I am just curious how that > works?
Plugins in SA may optionally support a "reporting" functionality, which is meant to report a spam message to the spam-detection source through it. FWIK, the stock SA distribution supplies DCC, RAZOR, PYZOR, HashCash and SpamCop plugins which may report to external engines. Each of these plugin follows its own way in reporting, such they all of them may require a specific reporting directives to be configured in SA and/or required some external, introductory action (like registering to SpamCop, in example). Once you have registered to sources, tuned their plugin and configured SA accordingly, you may use the '-r' switch to report to it. > What exactly happens when I use the SA service to route the > message? SA doesn't route a message. SA analyzes it and yields a result, which is score points, on each message you pass to it. > Does it have to get X many number of submissions before it's > considered a known spammer? It depends by the people who run the blacklist or hashing engine. But generally the answer is "yes". > Secondly, what exactly do you mean by "the_spam_message_file"? How do > I locate this? The "the_spam_message_file" is just the file containing the full spam message (i.e.: complete with header and body). Its meaning is easy to understand to people used to manage mail servers, since often mail servers store each received message in its own file. But even as the user of a mailbox using a mailer to access it, you may probably find some way to save messages you receive in a file, which may then be reported through spamassassin. > If I get the message in my Inbox, then I have something > to ID it by, right? You don't need it. Just use '-r' with the original spam message and reporting will be fine. Get the original spam message first! > Some kind of number tagged by my system but if I > see in my logs that this spammer is doing a dictionary attack on my > mail server by using generic known user ID's like b...@... j...@... > h...@... >From now on this is OT, but anyway. Often this kind of activity is not a dictionary attack, but instead an attempt to use misconfigured mail servers as spam relayers. If your mail server bounces mail addressed to inexistent recipients, then that is your case. > Those would all fail for unknown recipient table lookups. How would I > then reference the spam message if there is no spam but I can clearly > see this spammer is attempting to spam me. As long as your mail server doesn't accept nor bounces these mails, just don't do anything. There are of course ways to reject mail after it has been delivered to your SMTP server, but this is something very OT here and mileage varies a lot according the kind of mailing system you are running. Also, it is not always considered a good practice to report messages you already rejected, because a message rejected is regarded as "not received" in the SMTP world... > I would like to be > proactive before the spam gets through and report them. You may eventually filter out that specific source for some time as long as these attempts are meant to cause a DoS, instead of leveraging on some bounce feature to spread spam. > Thanks! You welcome, but please note these matters quite OT here. Giampaolo