SpamAssassin-Milter accuracy...

[Louis LeBlanc]

On 01/04/05 08:59 PM, Ted Mittelstaedt sat at the `puter and typed:
> 
> > <SNIP>
> 
> The only problem with doing this is that you have to completely
> receive the e-mail message before SA can check it against the
> blacklists.
> 
> We do the blacklist checks at the MTA level and turn them off in SA.
> As a result the e-mail is never accepted by the server if it's in a
> blacklist.  As a result of that if the spam is coming from a
> compromised mailserver then that mailserver will just requeue the
> message.  And with everyone on the Internet doing this, it will make
> the compromised mailserver melt down immediately, which will punish
> the admin of it for running an open mailserver in the first place.

Whether this is the "Right Thing To Do" may be debatable, but I think
you leave yourself open to rejecting legitimate email on the word of
an overzealous blacklister.  I read somewhere recently that some lists
had been known to blacklist servers simply because their admin was
critical of their listing criteria.  This is third hand, of course,
but you have to accept that blacklists have been compiled with very
objective criteria, and usually by overzealous anti-spammers.  Even
those that have automated criteria often rely on unconfirmed reports
to blacklist an IP.

Believe me, I'm all for thumping the spammers - and I mean hard.  I
was giddy when I read the story on the little ISP that was awarded $1
Billion from a spammer that kept their network on its knees for
months.  Still, it's probably not a good thing to run over innocent
pedestrians to get them.  I know an open relay isn't necessarily an
innocent pedestrian - more like a careless admin, but they're still
being victimized by the spammer too.

Not to say you shouldn't reject spam, but there are more reliable
ways, like amavis-new, which will check the message through
SpamAssassin, and reject at the MTA it if the threshold is high
enough.

It may be a little more load on your MTA, but you're rejecting email
because it's spam, not because someone has blackballed the originator.
That message still gets requeued on the relay, so the effect is still
an overloaded server.

I tried Amavis-new for SA checks at one point, and it works very
nicely.  I turned the spam checking off because I didn't like that it
was using global configs and preferences - I prefer per-user settings
because my mother and wife are signed up for mailings that set off a
lot of SA flags.  My Bayes DB is much better trained than theirs,
and I've got my threshold much lower (I use 2.0 with maybe 1 FP & < 20
FNs per 100,000 messages).  Not to say you can't rescan, or just
resort based on the score assigned through amavisd, but I'm more
inclined to put it aside and make darn sure it's spam myself.  So
Amavis scans email through the virus tools and leaves Spam checking to
Procmail and SA.

> > I do use the blackholes (check http://blackholes.us) at the MTA,
> > since rejecting mail outright from Asian (and a few African)
> > countries has reduced my spam intake by about 80%, without
> > reducing my legitimate mail by a single message.  Since I'm not
> > running a service for other people, and I carefully choose the
> > blackhole domains I use, it's not a problem for me.  Of course,
> > that may not be an option for you.  Someday I'll stop this
> > practice, but for now some of my doors are just plain closed.
> >
> 
> We don't use blackholes.us although I'll take a look at it.  About
> 50% of our incoming spam is blocked by the blacklist servers we do
> use.

I like the blackholes.  They have the upside of qualifying simply by
their country of origin.  They also have the downside of qualifying
simply because of their country of origin.  If you use them, you can
be fairly certain that you are only refusing connections - all
connections - from the country you intended.  The criteria is much
more concrete than the blacklists, and the lists are much more stable.

As I mentioned, I don't have acquaintances and don't do business with
anyone in Asia, so I feel fine simply not accepting email from the
biggest source of my spam.  When I turned them back on with my new
server, my spam instantly went down by 75%.  That's after using them
on my domains for over 2 years, and running my new server without them
for a few weeks.  Had I kept them off longer, I have no doubt the
stream would have increased - when I turned them on 2 years ago, my
spam went down by almost 95% in a matter of minutes, and over the
years the stream of rejects has diminished slowly.

Lou
-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

White dwarf seeks red giant for binary relationship.