Matt, Fortunately, if you want to call it that, I am small enough so that I can keep a very close eye on what makes it way through our servers. I go through logs every night. Our block rates are very similar to yours, though the term "false positives" can often be in the eye of the beholder. :-)
Fortunately, it is rare that false positives are an issue, and most of my customers are pretty ecstatic about the amount of spam reduction we bring them. With the addition of whitelisting, false-positives are rare, indeed. FWIW, I managed to write one rule in the past year that backfired on me by deleting anything with "Cialis" in the Subject: line. As it turns out, one of our subscribers receives a newsletter aimed at soCIALISts. I wonder how many of you will get this message trapped? :-) Fortunately, I saw this message get trapped in the logs and fixed the problem the same day. William Van Hefner Network Administrator Vantek Communications, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 27, 2005 3:17 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) Hey, do whatever you want, it's your server and your customers, and as long as you are bouncing this stuff, it's no skin off my back. I was merely describing the realities of what is going on with lower priority MX hits. This supports most of your assertion, however here is a very big difference between 100% and 99.9% accuracy, or what I would consider to be about 99.5% accuracy with our second priority server. My view as a spam and virus blocking service is that delivering the good E-mail is my first priority, and blocking the bad is the second. We have few problems with either, and we don't have to take heavy handed tactics like this to achieve our goals. We don't penalize people for being stupid, we work around it. In fact, it's the lack of sophistication, practices, or the improper priorities of other companies that makes us look so good in comparison. The 99.7% block rates with 0.03% false positives for the typical domain doesn't hurt either :) Matt William Van Hefner wrote: Matt, I do not consider ANY bulk mailer that purposefully violates RFCs "legitimate". Heck, AOL will delete or bounce your mail just for not having a properly configured PTR. In my mind, purposefully violating RFCs for the express intent of deceiving/avoiding spam filters is enough reason to reject their mail, if they are doing it on a consistent basis. I mean, why have RFCs, if some admins feel that they don't apply to them? At least with PTRs, you can chalk some of those cases up to temporary problems of switching underlying networks or simple mistakes by admins. In order to send out bulk mailings to MXs in reverse order, you have to go WAY out of your way to modify a mail server or software to do something like that. There are no legit mail servers that do this in the default configuration. INTENT TO DECEIVE your mail server to accept their mail is the only reason someone would do something like this. In the end, its really all about money to these people though. If your solution works for you, great. On my system, 100% of the mail sent to the second or third MX is spam, or is sent by some shady bulk mailer. I have a much, much lower threshold for deleting spam on those servers. Any bulk mailers that want to get their garbage through the last MX (third) server will need to be whitelisted in the future, or pay me extra for the privilege of relaying their mailings via a server that they shouldn't even have to exist. William Van Hefner Network Administrator Vantek Communications, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 27, 2005 2:22 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) I have found that some newsletters/legitimate bulk-mailing software will hit lower priority MX's, possibly by design (some setups don't have spam blocking configured for backups which makes them more desirable to hit, but also some software doesn't bother with MX priority, they just take the first entry returned). Because zombie spamware regularly ignores MX priorities, we set up 4 MX records with 4 different priorities and made sure that our DNS was round-robined, meaning that the records would be returned in random order, but that doesn't matter to a complaint SMTP server which should choose the proper priority. Spamware seems to just simply choose the first MX record returned, so when round-robined, that means that zombie spamware is evenly divided over our 4 records. This is effective enough that we then use Declude to filter for hits on all but the primary MX record, and we add points for such hits. It is very effective since hits to our MX3 and MX4 are 99.9% spam. Hits on our MX2 are scored lower since their is more legitimate traffic that may hit it and it is on a separate box on a separate network. MX3 and MX4 are on the same box as MX1, so technically, those should almost never be hit by anything remotely legitimate. Matt R. Scott Perry wrote: The only time that any legitimate traffic should flow through our "secondary MX" is when the primary is down completely. "never, ever" ??? not very humble, you "IMHO" In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. ---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
