>From: ttgh <tony.to...@goldenhour.com> >Sent: Monday, February 16, 2015 11:44 AM >To: users@spamassassin.apache.org >Subject: train filter based on spam to ex-employees?
>We get 'waves' of spam which are addressed to both long-time employees >(usually executives) as well as long-gone employees. It's safe to say that >ANYTHING sent to those ex-employees is spam but how do I use those messages >as an instant filter for the valid addressees? Not a valid indicator of spam in my opinion. Legit senders could be trained as spam and block valid mail. Also, that list would be tough to maintain. Setup a good whitelist_from_rcvd, whitelist_from_spf, whitelist_from_dkim then let Bayesian and other rules do their work on the rest. This also keeps the SA processing time down low. At the MTA level, use some reliable RBLs and basic HELO checks to block most of the spam. Setup a high number MX server that temp fails everything after a couple seconds delay. This will attract some of the spam away from your main MX. Setup negative SA scoring on some of the reliable whitelists and positive scoring on some RBLs that are took risky for you to block at the MTA level. For example, SpamCop is very nice but I am not able to use it in my MTA so I add points for hits. I have recently changed my thinking on blocking spam toward more of the reputation of the sending mail server. This seems to work well and helps with new spam campaigns. The downside is compromised accounts on legit mail servers but this is really hard to block anyway. My servers usually block these after 30 minutes or so based on RBLs, DCC, Razor, etc. >I assume I need to learn how to use the Bayesian filter but I've been >avoiding that because of the apparent effort required to maintain it. Also >I'm concerned that there won't be a quick enough turnaround on filtering, >e.g. if 10 copies of a new spam arrive and the first several instances are >addressed to current employees, they will 'pass' the filter before the >known-bad addressees get scanned and added to the filter. >I should also point-out that our SA setup is acting as relay to an internal >server so once messages are passed they are no longer accessible to SA, >i.e., we're running Postfix but only as a relay not as the primary mail >store. Thank you for any suggestions! -- View this message in context: http://spamassassin.1065346.n5.nabble.com/train-filter-based-on-spam-to-ex-employees-tp114546.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
