> Date: Mon, 17 Oct 2011 19:10:28 -0400 > From: [email protected] > To: [email protected] > Subject: Re: Why doesn't anything at all get these botnet spammers? > > On 10/15, Jenny Lee wrote: > > fwoicka odrp jbguybf etvwmbwm > > i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl ipcvlhboht > > ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu. > > Is anybody else having a problem with this kind of spam? I definitely find > it interesting. It doesn't sound likely to be very profitable. We do have many domains and he hits most of them. I am positive many people get this. It is profitable, becase either: a. He gets money from those porn sites per signup b. He is those porn sites As with everything else, the head of the snake must be severed (as in pharma or akai spam). I am sure few knowledgeable people can cut his main income so he would not be doing this. It is similiar porn sites all the time.
> On 10/17, Jenny Lee wrote: > > What baffles me is why it takes so long for RBLs to catch up on the > > URL. > > Are you reporting them? Unfortunately, as I mentioned earlier, we are not in a position to constantly do maintenance in our mails. > On 10/17, Jenny Lee wrote: > > Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* > > of it with greylisting since 3-4 years. No need for bothering with MXes. > > So why don't you go back to greylisting without spamassassin? Nobody > profits from you using SA, use whatever works for you. We probably will do that since SA is taking too much of our time. > Or if your bayes is so accurate, just increase the scores for those rules? > > score BAYES_00 -5 > score BAYES_05 -4 > score BAYES_20 -3 > score BAYES_40 -2 > score BAYES_50 5 > score BAYES_60 6 > score BAYES_80 7 > score BAYES_95 8 > score BAYES_99 9 > > (To be clear, I don't recommend this for most people, only if you have > bayes results as accurate as Jenny.) I do have top one high. I have not seen BAYES_80 or BAYES_95 before, so it is not necessary to set it. It is always BAYES_99. I have seen BAYES_60 though, but I am not keeping that high just in case. Our legit mail is not being mistakenly caught, so I have not bothered with lower scores either. > With such accurate bayes results, that should override most other results. > And if you're just using bayes, might as well not use spamassassin and go > with a dedicated bayesian filter like spamprobe. Thank you for this information. I will check it out. Without bayes, SA does not work at all for us. > > We get about 10-20 legit emails (everyone uses internal IM) with > > 40000-50000 SPAM a day. Most of which is same-sender/same-receipient > > rejected at transaction stage. Spamd processes about 10K a day. > > Blocking more than 99% of spam, without blocking a problematic amount of > non-spam, is hard. Bayes seems to be working very well in this aspect. Our issue is not with FPs. We are not having any issues with our legit mail. It is only this guy's spam is passing through (which is taken care of by custom rules, but requiring constant maintenance). We have some very old domains and these domains are used in commonly-typed email addresses (like [email protected] (me.com is not ours, just an example, i am not disclosing our domains here) ). > > When we were implementing only greylisting, no spam except ebolamonkey 419 > > spam passed through. That was easy to discard with simple procmail > > filters. However, our client's RHEL5 sendmail did not play well with > > greylisting, so we decided to do sa+grey. > > Postfix + postgrey worked great for me, when I last felt a need to use > greylisting. We use sendmail + milter-greylist. Thank you for all the help in this list. I learnt quite few things during these conversations. Jenny
