Re: anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On Fri, 15 Oct 2004 21:38:58 +0100 Matt Sergeant [EMAIL PROTECTED] wrote: Block anything without a Message-ID header. I tried this one out this week. It turns out earthlink doesn't bother adding a message-id header. So rude! :( It's not their responsibility - it's the MUA's. In that case I should mention that ms outlook doesn't seem to add them. Brian
Re: anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On Tue, 12 Oct 2004 23:01:40 +0100 Matt Sergeant [EMAIL PROTECTED] wrote: Block anything without a Message-ID header. I tried this one out this week. It turns out earthlink doesn't bother adding a message-id header. So rude! :( Blocking on no Received headers seems to work well. Matching helo with m/\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3}/ seems to be working well. Is there a qpsmtpd DCC plugin floating around anywhere? Here's what I use: Thanks. Brian
Re: anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On Mon, 11 Oct 2004 20:50:12 +0100 Matt Sergeant [EMAIL PROTECTED] wrote: My top tips: Block anything without a Message-ID header. Block anything without any Received headers. Block anything found in CBL, SBL and SORBS. Block anything HELOing with a string matching \d+[\.-]\d+ Have you had difficulty with HELOes like 1-800-flowers.com or mail9.23skidoo.com? Block anything marked bulk in DCC. Is there a qpsmtpd DCC plugin floating around anywhere? Brian
Re: anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On 12 Oct 2004, at 21:09, Brian Grossman wrote: On Mon, 11 Oct 2004 20:50:12 +0100 Matt Sergeant [EMAIL PROTECTED] wrote: My top tips: Block anything without a Message-ID header. Block anything without any Received headers. Block anything found in CBL, SBL and SORBS. Block anything HELOing with a string matching \d+[\.-]\d+ Have you had difficulty with HELOes like 1-800-flowers.com or mail9.23skidoo.com? This is a small domain with two users, so no. I don't block that for MessageLabs - I have a much more complex (and thus administration intensive) set of HELO blocking installed. If I were a large scale mail admin I would probably see FPs with that block but add some more punctuation and digits in there (e.g. \d+[\.-]\d+[\.-]\d+) and you'll eliminate FPs (except for google.com, which uses a custom and rather annoying outbound SMTP server). Block anything marked bulk in DCC. Is there a qpsmtpd DCC plugin floating around anywhere? Here's what I use: sub check_dcc { my ($self, $transaction) = @_; $self-log(1, Checking DCC); $transaction-body_resetpos; my $dcc = Net::DCCIf-new() or return DECLINED; my @recipients = map { $_-address } $transaction-recipients; $dcc-connect( env_from = $transaction-sender-address, env_to = [EMAIL PROTECTED], clnt_addr = $self-connection-remote_ip, clnt_name = $self-connection-remote_host, helo = $self-connection-hello, ); $dcc-send(header, $transaction-header-as_string); $dcc-send(header, \r\n); while (my $line = $transaction-body_getline) { $dcc-send(body, $line); } my ($results, %mapping) = $dcc-get_results(); my $output = $dcc-get_output(); my ($key, $value) = split(/:/, $output, 2); $transaction-header-add('X-DCC-Result', $results); $transaction-header-add('X-DCC-Metrics', $value); $self-log(1, DCC: $results); $self-log(1, DCC ($_): $mapping{$_}) for keys %mapping; $self-log(1, DCC Metrics: $value); return DENY, DCC if $results =~ /Reject/; return DECLINED; } I guess we should add something like that to the distro, though it's VERY hacky and I'd rather something more sane were added. Matt.
anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On 11 Oct 2004, at 20:26, John Peacock wrote: Matt Sergeant wrote: As an ex spamassassin developer, I support the change. However I don't use the plugin (SA isn't aggressive enough for me), so don't take my word as gospel. That's what's funny - I don't use SA any more either! I'm using dspam to great effect: Your overall accuracy is97.888% with only about 2 months training... Pshawww.. Bayes is *so* last year's technology :-) I have about 99.9% accuracy without bayes (or any per-user training). Though admittedly I sometimes quarantine my wife's newsletters :-) My top tips: Block anything without a Message-ID header. Block anything without any Received headers. Block anything found in CBL, SBL and SORBS. Block anything HELOing with a string matching \d+[\.-]\d+ Block anything marked bulk in DCC. That gets pretty much all my spam, though I have a few extras in there too. Matt.
Re: anti-spamassassin [was Re: (again) Proposed Patch for Spamassassin]
On 11 Oct 2004, at 21:06, John Peacock wrote: Block anything without a Message-ID header. Block anything without any Received headers. Block anything found in CBL, SBL and SORBS. Block anything HELOing with a string matching \d+[\.-]\d+ Block anything marked bulk in DCC. I'm managing a corporate e-mail system, so I have to be less arbitrary. The first two could probably be changed soon to anything without SPF/Sender-ID and without Received headers. Which would be less aggressive (those are the only two aggressive rules really) and still work quite well. Oh, I forgot two 100% zero FPs guaranteed rules: - Block anything HELOing as a domain in rcpthosts. - Block anything HELOing as my IP address. TBH, even if you're happy with dspam, stick some of these rules in front to get rid of the ABSOLUTE garbage that comes in, then let dspam mop up the rest.