Hi all. Thanks for all the answers. I am afraid I was being naive. I was explicitly thinking of a scenario like this: filter as much as possible 'unsolicited email' sent by some (possibly) 'infected' account.
I thought that turning off the bayesian classifier (and the RBL checks) would still let me able to catch the occasional spam email. Of course there's already a ClamAV filtering system for all the outgoing email. In the past week one of our outgoing SMTP server was blacklisted for 12 hours (just to be clear: it was not SpamHaus). Unfortunately, looking at the logs did not give me any clues: there were no spikes of bulk sending email to thousands of users or anything particularly suspicious. And the black list manager did not provide any additional information about the incident. On 12.08.2014 08:43 Matus UHLAR wrote:
That means, much of rules that push over limit will not hit.
> You still should not push required_score down, I remember outgoing mail
being blocked by inherited servers for hitting 7.0...
I was thinking about using a 5.0 threshold but given your example I guess I should push it up to 8.0. On 11.08.2014 23:15, Karsten Bräckelmann wrote: > > Define spam. > > Running SA on your outgoing SMTP will not catch botnet generated junk, > neither spam nor malware. This would require sniffing raw traffic. Or > completely firewalling off outgoing port 25 connections. > You explicitly mention your users (corporate or home?) "sending mail". > Are you talking about them possibly running bulk sending services, or > hand crafted unsolicited mail to individual recipients? If possible I would like to catch both but as already said this gonna look quite hard. I will add Pyzor/DCC in the mix and see if it can help. On 11.08.2014 23:15, Karsten Bräckelmann wrote:
Unless there's a 419 gang operating from your internal network, there might not be much left for SA with stock rules to classify spam...
No 'spam gang' so far but I will keep my eyes open :-). Best regards, Matteo
