Re: HELP!! spamassasssin killing my server
> Matus UHLAR - fantomas schrieb: > >On 12.06.08 18:51, Matthias Leisi wrote: > >>On the company mailserver, we take a very conservative approach, and > >>only Spamhaus SBL+XBL are used at the MTA level. > > > >you should switch to ZEN in such case, SBL+XBL is obsolete now. On 13.06.08 18:49, Matthias Leisi wrote: > We use a local feed, so querying SBL and XBL separately is not an issue. > For some obscure non-technical reason, we can currently not switch to > anything else (nor do we really need to, since queries only run local). When people use "sbl+xbl", I guess they mean "sbl-xbl.spamhaus.org" blacklist. If you query them separately, it's something different of course. However you are then missing PBL which is another part of zen. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: HELP!! spamassasssin killing my server
Matus UHLAR - fantomas schrieb: On 12.06.08 18:51, Matthias Leisi wrote: On the company mailserver, we take a very conservative approach, and only Spamhaus SBL+XBL are used at the MTA level. you should switch to ZEN in such case, SBL+XBL is obsolete now. We use a local feed, so querying SBL and XBL separately is not an issue. For some obscure non-technical reason, we can currently not switch to anything else (nor do we really need to, since queries only run local). -- Matthias
Re: HELP!! spamassasssin killing my server
On 12.06.08 18:51, Matthias Leisi wrote: > On the company mailserver, we take a very conservative approach, and > only Spamhaus SBL+XBL are used at the MTA level. you should switch to ZEN in such case, SBL+XBL is obsolete now. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: HELP!! spamassasssin killing my server
Rob McEwen schrieb: http://www.dnsbl.com/2007/05/spamcop-bl-another-look-its-accurate.html Therefore, when you said, "too many false positives", are you referring to FPs from *before* that transformation of SpamCop? Or, are these *recent* FPs, spotted after that transformation? It's twofold: On my private mailserver, there is some older (definitely pre-2007) history of FPs (and since then I only use it in SA context there). On the company mailserver, we take a very conservative approach, and only Spamhaus SBL+XBL are used at the MTA level. I run a daily report similar to SAs own masscheck reports; there, I see quite an overlap between the Spamcop BL rule and eg local whitelisting rules (based on whitelist_from_rcvd, content-based whitelisting rule and [to a limited degree] RCVD_IN_DNSWL_NONE/_LOW rules). Just to be very clear: I value the Spamcop BL very much, and it is very effective. However, it has a too high FP rate in my environment in order to safely use it on the MTA. I'll see whether I can grab some extract of it tomorrow and post it here. (Also, I'm not trying to argue... just trying to learn... and seeking clarity!) Seconded :) -- Matthias
Re: HELP!! spamassasssin killing my server
Matthias Leisi wrote: Be careful with using the Spamcop blacklist to reject messages -- while it is perfectly fine as a blacklist to use in a scoring scheme such as SpamAssassin, I found it to have too many false positives to use it for outright blocking. If you use it for blocking, then you should consider complimenting your setup with a whitelist _on the MTA level_. Matthias, At some point around spring of 2007, SpamCop made dramatic improvements with regards to FPs. Al Iverson details this here: http://www.dnsbl.com/2007/05/spamcop-bl-another-look-its-accurate.html Therefore, when you said, "too many false positives", are you referring to FPs from *before* that transformation of SpamCop? Or, are these *recent* FPs, spotted after that transformation? (Also, I'm not trying to argue... just trying to learn... and seeking clarity!) Rob McEwen
Re: HELP!! spamassasssin killing my server
> > Consequently I disabled the checks. Now, using spamhaus.org and spamcop > > the > > overload has disappeared. On 12.06.08 10:16, Matthias Leisi wrote: > Be careful with using the Spamcop blacklist to reject messages -- while it > is perfectly fine as a blacklist to use in a scoring scheme such as > SpamAssassin, I found it to have too many false positives to use it for > outright blocking. otoh, SpamCop is probably the most effective in detecting spam outbreaks. It only lists machines that spammed last 48 hours and it lists them very soon. according to SpamCop, it's designed to used for temporary rejects (IIRC). However I think this way people would get much of the spam, only later, when the machine is not listed (but the spam may still be in the queue), even without increased score (because the machine is not in the queue). In such case we only can hope that the spam will be catched by DCC, RAZOR, PYZOR, URIBL's and some others. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: HELP!! spamassasssin killing my server
> Consequently I disabled the checks. Now, using spamhaus.org and spamcop > the > overload has disappeared. Be careful with using the Spamcop blacklist to reject messages -- while it is perfectly fine as a blacklist to use in a scoring scheme such as SpamAssassin, I found it to have too many false positives to use it for outright blocking. If you use it for blocking, then you should consider complimenting your setup with a whitelist _on the MTA level_. -- Matthias
