Re: A simple way to...
On Sat, 9 Oct 2004 15:41:37 -0600 (CST) Ryan Thompson <[EMAIL PROTECTED]> wrote: > Robin Lynn Frank wrote to users@spamassassin.apache.org: > > > We use SA 3.0.0 with MySQL so we can extract certain AWL data and > > use it at the MTA level. However, since SA doesn't have an > > auto-blacklist feature, > > Hi Robin, > > Actually, "AutoWhiteList" (AWL) is a bit of a misnomer. AWL maintains > average message scores for sender/class-B tuples, so, in effect, it is > also an auto blacklist, because repeat spam senders will have high > average scores in the AWL database. > > > I'd like to find a relatively simple way to extract IP addresses > > from emails that contain spam. If it is of any importance, we > > invoke SA via amavisd-new. > > See, for instance, the check_whitelist script in the tools/ directory > of the distribution. I get output like this: > > -4.5 (-35.6/8) -- [EMAIL PROTECTED]|ip=64.59 > 9.3(27.9/3) -- [EMAIL PROTECTED]|ip=65.39 > > The first line is for a user that sends ham, so his/her score on > future messages would be pushed closer to -4.5. > > The second line is for a user that sends spam, so, if they sent a more > hammy message later, the AWL would likely *add* points to the message, > while decreasing the average slightly. > > It works both ways. If you want to use this at the MTA level, I could > envision you wanting to grab, say, every entry over a certain average > score and potentially greylist based on that or something. > > Hope this helps, > - Ryan > Yes it does. The only thing I see that is a problem is that the IPs appear to be /16s. /24s would be a broad enough brush to paint with. Back to the drawing board. -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC http://www.paradigm-omega.com == Sed quis custodiet ipsos custodes? pgpZtWxbE2FED.pgp Description: PGP signature
Re: A simple way to...
- Original Message - From: "Ryan Thompson" <[EMAIL PROTECTED]> > Robin Lynn Frank wrote to users@spamassassin.apache.org: > > > We use SA 3.0.0 with MySQL so we can extract certain AWL data and use > > it at the MTA level. However, since SA doesn't have an auto-blacklist > > feature, > > Hi Robin, > > Actually, "AutoWhiteList" (AWL) is a bit of a misnomer. AWL maintains > average message scores for sender/class-B tuples, so, in effect, it is > also an auto blacklist, because repeat spam senders will have high > average scores in the AWL database. > > > I'd like to find a relatively simple way to extract IP addresses from > > emails that contain spam. If it is of any importance, we invoke SA > > via amavisd-new. > > See, for instance, the check_whitelist script in the tools/ directory of > the distribution. I get output like this: > > -4.5 (-35.6/8) -- [EMAIL PROTECTED]|ip=64.59 > 9.3(27.9/3) -- [EMAIL PROTECTED]|ip=65.39 > > The first line is for a user that sends ham, so his/her score on future > messages would be pushed closer to -4.5. > > The second line is for a user that sends spam, so, if they sent a more > hammy message later, the AWL would likely *add* points to the message, > while decreasing the average slightly. > > It works both ways. If you want to use this at the MTA level, I could > envision you wanting to grab, say, every entry over a certain average > score and potentially greylist based on that or something. I'm wondering if the devs have consider changing the name associated with AWL from auto-whitelisting to something more descriptive of what AWL actually does, maybe something like auto-weight-leveling? Bill
Re: A simple way to...
Robin Lynn Frank wrote to users@spamassassin.apache.org: We use SA 3.0.0 with MySQL so we can extract certain AWL data and use it at the MTA level. However, since SA doesn't have an auto-blacklist feature, Hi Robin, Actually, "AutoWhiteList" (AWL) is a bit of a misnomer. AWL maintains average message scores for sender/class-B tuples, so, in effect, it is also an auto blacklist, because repeat spam senders will have high average scores in the AWL database. I'd like to find a relatively simple way to extract IP addresses from emails that contain spam. If it is of any importance, we invoke SA via amavisd-new. See, for instance, the check_whitelist script in the tools/ directory of the distribution. I get output like this: -4.5 (-35.6/8) -- [EMAIL PROTECTED]|ip=64.59 9.3(27.9/3) -- [EMAIL PROTECTED]|ip=65.39 The first line is for a user that sends ham, so his/her score on future messages would be pushed closer to -4.5. The second line is for a user that sends spam, so, if they sent a more hammy message later, the AWL would likely *add* points to the message, while decreasing the average slightly. It works both ways. If you want to use this at the MTA level, I could envision you wanting to grab, say, every entry over a certain average score and potentially greylist based on that or something. Hope this helps, - Ryan -- Ryan Thompson <[EMAIL PROTECTED]> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America
