Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 09:29 AM, Andrzej A. Filip wrote: Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...? On 22.04.13 15:01, Thomas Cameron wrote: That's an interesting question... Each user has their own spam folders, so I guess I should create a cron job per user to do so, maybe? Does anyone do that? Is it smart? depends on how you train spamassassin. the spamassassin -r reports automatically wherever possible. sa-learn only trains bayes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/08/2013 03:52 AM, Andrzej A. Filip wrote: On 04/08/2013 05:12 AM, Thomas Cameron wrote: [...] I want to delete any spam that scores over 10, though. I believe that I should insert a new rule between the first and second, and I want to use the X-Spam-Level header. But since it uses asterisks, which are interpreted as regex wildcards, I want to make sure I've got the right syntax. I think I would need to escape out the asterisks, right? Would it look like this? :0: * ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\* /dev/null I believe that would match 10 asterisks or more, and redirect the e-mail to /dev/null. Am I right? I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. So, I've set up two IMAP folders, spam for messages which are in the 5-10 range and super-spam which are over 10. I've been watching them since the 7th, when I updated SA and configured it based on Warren Togami's most excellent guide at http://www.spamtips.org/p/ultimate-setup-guide.html. So far the super-spam folder is getting messages at about 10:1 over spam. I have not seen a single FP in super-spam in that time. In fact, I have not seen ANY FPs in either folder. At this point, I'm pretty comfortable just nuking that e-mail instead of wasting space with it. Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. I'm definitely open to suggestions, though. The only argument I have seen so far is you might get a FP. While that is absolutely valid, it has not happened so far. If I use spamass-milter, the sender will get a rejection notice, so important senders which trigger FPs will be able to call me and let me know. Otherwise, I don't think the message is that important. ;-) Thoughts? Thomas
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 22.04.13 08:27, Thomas Cameron wrote: Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. with thing like spamass-milter I found REFUSING mail (not devnulling!) sa safe. I also use score 10 as rejecting threshold. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 03:27 PM, Thomas Cameron wrote: On 04/08/2013 03:52 AM, Andrzej A. Filip wrote: On 04/08/2013 05:12 AM, Thomas Cameron wrote: [...] I want to delete any spam that scores over 10, though. I believe that I should insert a new rule between the first and second, and I want to use the X-Spam-Level header. But since it uses asterisks, which are interpreted as regex wildcards, I want to make sure I've got the right syntax. I think I would need to escape out the asterisks, right? Would it look like this? :0: * ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\* /dev/null I believe that would match 10 asterisks or more, and redirect the e-mail to /dev/null. Am I right? I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. So, I've set up two IMAP folders, spam for messages which are in the 5-10 range and super-spam which are over 10. I've been watching them since the 7th, when I updated SA and configured it based on Warren Togami's most excellent guide at http://www.spamtips.org/p/ultimate-setup-guide.html. So far the super-spam folder is getting messages at about 10:1 over spam. I have not seen a single FP in super-spam in that time. In fact, I have not seen ANY FPs in either folder. At this point, I'm pretty comfortable just nuking that e-mail instead of wasting space with it. Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. I'm definitely open to suggestions, though. The only argument I have seen so far is you might get a FP. While that is absolutely valid, it has not happened so far. If I use spamass-milter, the sender will get a rejection notice, so important senders which trigger FPs will be able to call me and let me know. Otherwise, I don't think the message is that important. ;-) Thoughts? False positives in super-spam (10 SA score) should be very rare. Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...?
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
Andrzej A. Filip skrev den 2013-04-22 16:29: Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...? or dnswl, return-path ? :) -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 09:03 AM, Matus UHLAR - fantomas wrote: On 22.04.13 08:27, Thomas Cameron wrote: Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. with thing like spamass-milter I found REFUSING mail (not devnulling!) sa safe. I also use score 10 as rejecting threshold. Yeah, exactly what I had in mind.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 09:29 AM, Andrzej A. Filip wrote: False positives in super-spam (10 SA score) should be very rare. Exactly my point. Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...? That's an interesting question... Each user has their own spam folders, so I guess I should create a cron job per user to do so, maybe? Does anyone do that? Is it smart? TC
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 2013/04/22 06:27, Thomas Cameron wrote:
On 04/08/2013 03:52 AM, Andrzej A. Filip wrote:
On 04/08/2013 05:12 AM, Thomas Cameron wrote:
[...]
I want to delete any spam that scores over 10, though. I believe that I
should insert a new rule between the first and second, and I want to use
the X-Spam-Level header. But since it uses asterisks, which are
interpreted as regex wildcards, I want to make sure I've got the right
syntax. I think I would need to escape out the asterisks, right?
Would it look like this?
:0:
* ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\*
/dev/null
I believe that would match 10 asterisks or more, and redirect the e-mail
to /dev/null. Am I right?
I would suggest redirecting such messages to another folder/maildir.
The folder should auto-purge old messages (e.g. older than 30 days).
Shit does happen. I remember at least one case in which mailing list
(ham) thread about spammer scored 10.
Such very false positives are very unlikely/rare *but* nobody
responsible is going to guarantee it will not happen to you.
So, I've set up two IMAP folders, spam for messages which are in the 5-10
range and super-spam which are over 10. I've been watching them since the 7th,
when I updated SA and configured it based on Warren Togami's most excellent
guide at http://www.spamtips.org/p/ultimate-setup-guide.html.
So far the super-spam folder is getting messages at about 10:1 over spam. I
have not seen a single FP in super-spam in that time. In fact, I have not seen
ANY FPs in either folder.
At this point, I'm pretty comfortable just nuking that e-mail instead of wasting
space with it.
Currently I'm using procmail recipes for individual users, but I'm leaning
heavily towards going back to spamass-milter, and rejecting everything that
scores 10 or more.
I'm definitely open to suggestions, though. The only argument I have seen so far
is you might get a FP. While that is absolutely valid, it has not happened so
far. If I use spamass-milter, the sender will get a rejection notice, so
important senders which trigger FPs will be able to call me and let me know.
Otherwise, I don't think the message is that important. ;-)
Thoughts?
Thomas
Thomas, you are still better off using a spam folder or simply a
subject modification that allows easy spam ranking in a spam folder.
I setup a markup such that subjects look much like this:
Subject: *SPAM* 016.2 ** Do you have a mesh implant {removed]
That allows me to put anything marked *SPAM* at the start of
the subject as spam. And it allows me to sort the spam for how spammy
it is. I can then whiff through the spam in moments to find things
that were miscategorized as spam and salvage them. I (very rarely)
find ham in the spam with scores over 10 on some mailing lists. There
are some people who persist in using tools that invite spam scores
and include messages that look surprisingly spammy in their formatting.
(Source code can VERY often trigger some spam scores, for example.)
And as sure as Murphy's law seems to work with uncanny precision you
will find over the years at least one email among the spam that could
have cost you either a lot of money, a lot of time, critical information,
or lost opportunity.
I've nuked some jerks with /dev/null before it even hits spamassassin.
But I've never nuked merely on the basis of spam scores. That led me
to a job when a friend sent me a note about an opportunity he thought
I could do when he had his hands full. It was caught as spam. And I am
glad I checked and noticed his address. That pushed me to check the mail
(plain text) and discover it was legitimate despite containing a few
spammy words or phrases.
Use the mark up to make it easy for you to prioritize your spam scan. I
get 16 to 100 spams a day, depending on day of the week. A quick scan of
the spam folder costs almost no time, no frustration, and seems worth it
to me. Being able to tell T'bird to sort the mail by score REALLY makes
it go fast.
{^_^}
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On Monday, April 08, 2013 05:06:57 PM Walter Hurry wrote: I agree that dev-nulling is generally a bad idea, but there may be exceptions. For example, I dump everything from hinet.net straight onto the floor. FWIW, I get ham from hinet.net. IMHO, it is not appropriate to drop mail no matter how likely it is to be spam. If you are not going to deliver it, then it should be rejected at SMTP time with a 550 response. --Ian
Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/08/2013 05:12 AM, Thomas Cameron wrote: [...] I want to delete any spam that scores over 10, though. I believe that I should insert a new rule between the first and second, and I want to use the X-Spam-Level header. But since it uses asterisks, which are interpreted as regex wildcards, I want to make sure I've got the right syntax. I think I would need to escape out the asterisks, right? Would it look like this? :0: * ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\* /dev/null I believe that would match 10 asterisks or more, and redirect the e-mail to /dev/null. Am I right? I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On Mon, 08 Apr 2013 10:52:11 +0200, Andrzej A. Filip wrote: I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. I agree that dev-nulling is generally a bad idea, but there may be exceptions. For example, I dump everything from hinet.net straight onto the floor.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 4/8/2013 1:06 PM, Walter Hurry wrote: On Mon, 08 Apr 2013 10:52:11 +0200, Andrzej A. Filip wrote: I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. I agree that dev-nulling is generally a bad idea, but there may be exceptions. For example, I dump everything from hinet.net straight onto the floor. By default, I just tag and deliver everything. For some of the company accounts that have spam problems and for the customers who have asked for it, I will drop high-scoring spam. -- Bowie
