Luis Hernán Otegui wrote: > Hi, list, I know this is one of those "egg and chicken" kind of > questions, but having now the possibility of checking the impact of > various setups, I was wondering if it is more convenient to let the MTA > perform the RBL checks, or disable them and let SA do this job. > Currently I am using zen.spamhaus.org <http://zen.spamhaus.org> as my > primary (and only) RBL tester on Postfix, and I am kinda surprised. The > daily statistics show that my server is rejecting almost 22000 > connections a day, and accepting only 2500-3000 emails. The major > drawback is bayes. It seems to lack the necessary amount of data to > catch up as the spam evolves, so I'm continuously getting new kinds of > spam (meaning that I can't figure out a tendency to draw a rule from). > So I'm asking if anyone has a solution for this, or how do you deal with > this (to me) dellicate balance. > > Thanks in advance, >
I try to block as much as I can before the messages ever hit SA using RBLs, HELO checks, greylisting, etc. for performance reasons. SA is a much more expensive check so I try not to run it more than necessary. I don't rely on Bayes here (my users can turn it on or off as they choose) but many of the default SA and SARE rulesets pick up changes in spam fairly quickly so new spam forms get detected soon enough. (/me hugs sa-update) If you still want to train on the RBL'd messages, you could configure your MTA to either feed the messages to sa-learn directly or deliver to a mailbox for later training. -- Randy Smith http://perlstalker.amigo.net/ "Work is the miracle by which talent is brought to the surface and dreams become reality." - Gordon B. Hinckley
signature.asc
Description: OpenPGP digital signature
