On 2026-03-10 at 20:46:54 UTC-0400 (Wed, 11 Mar 2026 13:46:54 +1300)
Tim Harman via Postfix-users <[email protected]>
is rumored to have said:
On 11/03/2026 8:50 am, Fred Morris via Postfix-users wrote:
On Tue, 10 Mar 2026, Gary R. Schmidt via Postfix-users wrote:
[...]
Turn on postscreen and add fail2ban.
I learnt (I forget how, that's the problem) that if you're using
rspamd, you shouldn't do anything else like fail2ban or postscreen, so
that rspamd can learn _all_ mail. If you reject it as spam before it
even gets to rspamd, then rspamd ends up learning mostly ham and very
little spam, so things like the IP Reputation and bayes/neuralnet
training suffer because they don't see enough of both sides.
I guess I can see some value in fail2banning an IP that rspand has
flagged as spam the last 20 times, to stop the CPU overhead of rspamd
having to check it a 21st time.
But that is learnt wisdom correct, or am I holding onto a belief
that's not in fact true?
I have not tested it rigorously in MANY years but when I wanted to be
sure, I found that switching off pre-SpamAssassin rejections did not
really improve the performance of the SA Bayesian "learning" subsystem.
Much more mail was hitting SpamAssassin but much of the mail that was
being rejected and learned as spam was a sort of garbage that we never
saw with the pre-SpamAssassin rejections active.
I haven't tested that recently, but I do not have any indications that
it has changed. The qualitative nature of the spam stopped by the
postscreen before-greeting strictures is distinct from the spam that
makes it to SpamAssassin. I suspect that it looks like what I see in my
canary freemail accounts, filtered almost entirely to the spam folders.
One way to think of this is that there really are not just 2 intrinsic
classes of mail (spam/ham) but many natural classes which can fall in
one or the other of "spam" and "ham" but often it's more like a complex
Venn diagram. The class "mail offered over sessions that look like bots"
happens to be entirely spam, but it is distinctly different from the
spam that gets through to a "learning" filter like SA or rspamd, having
run a gauntlet of MTA-based protections like postscreen and various
sorts of access lists. The result is that the Bayesian filter in SA only
ever sees the kinds of spam that comes from mixed-type sources. It
wastes no space on the garbage stopped by postscreen which is mostly NOT
much like the B2B spam via Salesforce, the BEC mail from compromised
machines, or even the phishing done by hijacked MS365 accounts. Instead,
the filter learns from those sorts of spam which get to it, creating a
classifier that is better tuned to that narrower range of email.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Please keep discussion mailing list replies *on-list*
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
