Karsten Bräckelmann <guent...@rudersport.de> wrote:
> On Wed, 2009-03-04 at 16:02 +0100, Andrzej Adam Filip wrote:
>> Karsten Bräckelmann <guent...@rudersport.de> wrote:
>
>> > About 98-99% of my spam in-stream scores as high, that any such proposal
>> > results in a useless increase of the score.
>> >
>> > The problem lies with the LOW scoring spam. Alas, these do not tend to
>> > trigger on a solid subset or meta as you proposed. In particular, RBL
>> > hits are quite rare, even more so for multiple hits. The few rules hit
>> > by low scorers are quite diverse, which complicates this.
>>
>> May be spamassassin should create set of tests intended for use before
>> replying "RCPT TO:" in SMTP session?
>> [ test based on: sending IP address, envelope sender, envelope
>> recipient, and name in helo/ehlo ]
>
> This would be an entirely different application, not SA, wouldn't it?
It can be developed using the same "spam score" logic, based subset of
all tests requiring only the subset of "final data" available during
"classic run".
I do think that promoting tools that encourage postmaster to care very
much about mail server (IP address) reputation can make real difference
e.g. caring to be above reputation "none" in DNSWL to avoid grey-listing.
> Well, this probably could be done in SA using a multi-level protocol
> capable of returning values at different stages. However, this seems
> perfectly suited for a lightweight tool, rather than a hog that is
> designed to scan and process entire messages. :)
During initial tests/deployment *much* simpler implementation can be
used with recommended action based on spam score:
It would require redesign of 50_scores.cf structure.
e.g. instead of
score RCVD_IN_DNSWL_HI 0 -8 0 -8
something like that
# N - Network, B - Bayes, nX - no X, R - "RCPT TO:"
score RCVD_IN_DNSWL_HI nNnB=0 NnB=-8 nNB=0 NB=-8 R=-8
or shorter
score RCVD_IN_DNSWL_HI N=-8 R=-8
>> Possible "recommended actions": accept, temporary reject, permanent
>> reject - with choice based on "spam score" *AND* mail source reputation.
>>
>> Temporary reject in SMTP session should increase chances of DNSBL hits
>> by reducing "blind spot" period of newly created spam sources.
>
> Experience with grey-listing, tempfail or whatever varies wildly given
> the posts to this list. Some do report, that the zombies won't retry
> anyway after being tempfailed once. So a later DNSBL hit after the list
> catching up and DNS propagation may be even irrelevant.
There are "DUL zombies" that effectively do frequent "IP address hoping"
and "static NAT zombies". The former are bigger in number, the later
produce higher spam volume (IMHO).
--
[pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu
All the taxes paid over a lifetime by the average American are spent by
the government in less than a second.
-- Jim Fiebig
