Mike Taczak wrote: > The company I work for is more concerned with removing all false > positives than filtering absolutely every spam that comes though the > system. This can usually be accomplished by using many reliable smaller > carefully calibrated filtering techniques assuming our servers can > support them and maintaining speed. We've found policyd invaluable in > this sense. > > However, while we were looking at the HRP module, we were concerned > about false positives for the valid email servers that may use more than > X helo names. We've come up with a change that should prevent those > false positives while still filtering many false servers. > > By using a truncated version of the received helo name (which is usually > a domain name of some kind - we truncated by 2 periods. Example: > mx1.subdomain.test.com becomes test.com) , the real email servers are > less likely to be tagged as randomizing their helo names, while fake > servers, which seem to rarely use subdomains on the same network anyway, > are still filtered out albeit at a slightly lower rate. > > In the case of a helo name being an IP address, we added a condition to > only do the truncation if the last character in the helo name is > non-numeric so that IPs would still retain all the information. > > What do you think about incorporating this change into policyd?
While i will accept a patch for this feature, i do not believe it is the smarter / wiser approach. Before implementing Policyd, care should be taken for each module. In the case of HRP, it is best to start with a HIGH value/threshold which will allow you to weed out false-positive potentials. If you are using the greylisting module ,you should have custom whitelists already and it would be best to grow that list. It's important to realize that one of the highest rate of incoming spam (at least for us) are from sources which have decent amounts of income which allows them to buy entire class-c addresses, setup completely randomized subdomains (a.bb.net, b.bb.net, c.bb.net) etc and then bombard us while those subdomains (in the same netblock) begin to shift ip addresses. You'd effectively be disabling the whole point of HRP. Golden rule in order to prevent false positives is whitelist aggressively (regardless of what anti-spam measure you wish to deploy). Regards, Cami ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ policyd-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/policyd-users
