On Tue, Jun 22, 2004 at 04:19:03AM -0700, Rod Roark wrote: > On Tuesday 22 June 2004 12:06 am, Brian Lavender wrote: > > On Wed, Jun 16, 2004 at 10:15:18PM -0700, Rod Roark wrote: > > > Seems like most of the spam that I (and thus LUGOD) are not > > > successfully filtering out these days is from dynamic IPs - > > > dialup, cable modem, and dynamic DSL. > > > > > > So I'm wondering if it's reasonable to refuse mail from > > > servers that connect directly from a dynamic IP. Is anyone > > > here running such a server? And if you are, are you finding > > > that many sites are refusing your mail? > > > > > > Please reply off-list unless you think that what you have to > > > say is of general interest. Also if you're not sure if your > > > IP is considered dynamic, you can check it at > > > "http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=". > > > > Well, consider this. You have a valid send who is sending you email from > > a dynamic IP. You would want to receive that email, right?!! > > > > The answer lies in SpamAssassin. I believe it scores on this blacklist. > > SpamAssassin has been 100% effective with over 300+ spams in the last > > 24+ hours! > > 100% is astounding. My experience with SA was nothing like > that. But it has a huge number of options; how do you have > it configured? What about false positives? Any idea how > many unique spam sources are represented in those 300 > messages?
I pipe'ed my known good messages into a whitelist tool, plus the Bayesian filtering is helping a lot. The RAZOR check and other blacklist, RFC, open relays lists have helped as well. I know some of this stuff requires that you have dependent PERL modules installed to work. Admittingly, I just put this latest implementation into place this last weekend. But, yes, no false positives thus far. Also, here's a script that will add whitelist entries for people you send mail to. This is a great idea I want to implement, because as you say, false positives are a concern and this is a good way to automatically get people on a whitelist. http://www.estey.com/scripts/auto-whitelist.pl.txt Here's a spam scoring from my current installation of SpamAssassin. You can see it already has your dynamic IP listing. But I think the Bayes scoring working really well at the moment. I think it has to do with the fact that I am on a lot of mailing lists, so it has a lot of ham to base its analysis. Content analysis details: (13.8 points, 4.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain 0.5 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found 0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [<http://dsbl.org/listing?ip=218.135.214.75>] 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?218.135.214.75>] 2.6 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address [218.135.214.75 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [218.135.214.75 listed in dnsbl.sorbs.net] 1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts 0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay > > > The next question is, do you want to process this email? I > > don't. That's why I have been testing SA-Exim. If it gets flagrant > > spam from an IP, it can put in a temporary reject. Or, it can put in a > > permanent reject. Or.... if it's really bad spam, you can teergrub it. > > Or, say I do have a sender who does use mail server on a dynamic IP. I > > can whitelist him and get his email. > > > > I am doing a talk on integrating SpamAssassin at the SMTP layer. The > > implementation is SA-Exim. http://www.saclug.org/ > > Well I use Postfix. I believe the rough equivalent with > that would be something like amavisd-new which runs > SpamAssassin "internally", using the "before queue content > filter" which Postfix introduced with release 2.1. I don't > know anyone who has tried this combination yet. Well, does Postfix do the following?!!! This mail was rejected at the SMTP layer. This way, the sender doesn't think he sent it. If the mail had been accepted, it would have returned a code 500. If I had tried to bounce this spam, it would have gone to some unknow domain "gandalf". bash-2.05$ telnet pptp.brie.com 25 Trying 158.222.124.74... Connected to pptp.brie.com. Escape character is '^]'. 220 pptp ESMTP Exim 4.34 Tue, 22 Jun 2004 04:44:44 -0700 mail from: [EMAIL PROTECTED] 250 OK rcpt to: [EMAIL PROTECTED] 250 Accepted data 354 Enter message, ending with "." on a line by itself From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: $$$ Make Money Fast $$$ !!! viagra 100% GARANTEE AMAZING FULL REFUND This is not spam . 451 Please try again later brian -- Brian Lavender http://www.brie.com/brian/ _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
