John Hardin wrote:
On Thu, 12 Feb 2009, Kris Deugau wrote:
What do you do to push that last 5% or so of missed spam over the
threshold from nonspam to spam?
Do you greylist?
Of course not. The assumption that spammers cannot follow RFCs is a
silly one. There are a variety of greylisting/triplet techniques that
make some sense but only if you assume that spammers won't likely use
RFC complaint mailers anytime soon.
Do you use any MTA-level DNSBLs?
No. I allow spamassassin to query dcc/pyzor/spamcop, but I don't trust
any one or even two of those DNS/URL blacklists with enough points to
categorize something as spam on their own because all of those
blacklists have had false positives. Especially spamcop.
You have to also keep in mind that there are spamassassin rules with
bugs, such as the relatively recent FM_FAKE_HELO_VERIZON bug, which can
lead to false positives if you aren't sufficiently cautious.
Categorizing spam in such a way that you can trust your spam box makes
the spam box much more valuable. Being overly aggressive with spam
filtering is more dangerous to email than spam itself.
The tendency I've observed in people is to see that you are getting
95-98% of their spam filtered (say, they were getting 200 a day, now
they get 3) and they want to find some way to get the filter to catch
those last three.
Delete the last three.
Best,
Jesse