[NCLUG] SpamAssassin Testimonials?

[Sean Reifschneider]

On Mon, Jul 21, 2003 at 10:59:02PM -0600, Bob Proulx wrote:
>That is not surprising given your higher threshold.  And unfortunately

Yeah, I pushed it down to 3.5 and that has helped a lot.  There's still
a fair bit getting through that's at 3.5 and below.  Only about 35% of
what I was seeing with it at 6.5 though.  Obviously, many spammers know
about SpamAssassin and are working to keep their numbers low.

>SA folks are hoping the Bayesian Inferencing engine will compensate
>here.  I am less confident in the current Bayes implementation.

I've been plugging stuff into the Bayes stuff, but I'm not sure it's
been helping.  I used to use a Razor as one of the settings, and I think
that helped a lot.  I need to look into re-enabling that again.

>I would still stick with 5 but I would also engage the Bayesian engine
>too.  I get huge amounts of spam as well although not that much,
>around 30-50 a day.  But very few are getting past SA.  Around 2-3 a
>week.

I've been training all the spam that's been getting through for nearly a
month now and it hasn't helped as much as I'd hoped.  I took a look at
the spam that was getting through and dropping it from 6.5 to 5 really
wouldn't have gotten rid of that much.  Maybe only 20%.  3 to 3.5 would
get rid of about 65%, but a suprising number of the messages were coming
in between 0 an 1, about 15%...

I'm ok with pushing it down fairly far, because users will now get
immediate feedback if their mail has been marked as spam and can cause
it to get delivered to me fairly easily.  So far over the last 2 days,
1417 messages have been delivered through and 2966 have been held in the
spampit.  No pitted messages have been confirmed.

>This really has an attraction to it.  I am interested in your
>experience with it.  After you have some usage I hope you will report
>back to the list.

We're now running it on 75% of our e-mail addresses and it seems to be
working well so far.  I've had to do some tuning to try to get it to not
send confirmations to obviously invalid addresses (sometimes they'd just
end up going through to us, depending on how they were formed).  It's
looking good so far, but a few weeks of data will be good to have.

>Unfortunately there is a worst of both worlds factor as well.  a) TMDA
>really has an annoyance factor.  Many on the net are vocal about this.

Yeah, I know a lot of people really hate this, but unfortunately we live
in a world that's kind of making it happen.  Sad but true.  I haven't
set up TMDA yet because acking all the messages is really annoying.
However, the fact of the matter is that if it weren't for this sort of
TMDA, your message would just be totally ignored by me.  At least this
way you know it didn't go through and can do something about it.  If
your message isn't spammy, it should go through without trouble.

Even with my SpamAssassin set up at 6.5, I was getting well over 200
messages that I would have to manually review to try to see if they were
spam or not, and I found that I didn't really have the time to do it.

>b) If you get email from your stock broker or an automated account it
>will never be acked.

That's true.  If my stock broker sends me a message that gets caught by
SpamAssasin, they probably have bigger problems than just having to
confirm the message.

>c) This tends to interact badly with mailing
>lists (seen it several times now) so you need to make sure they are
>whitelisted appropriately which is tedious up front work.

That doesn't seem like such a problem, because I set up mailing lists to
forward to their own mailboxes, so when I subscribe I tend to be doing
something anyway.  Plus, it's only SPAMMY messages that would trigger
it, so subscribe confirmations should get through no problem, etc.

>by replying (with a tmda confirmation) the ack will most likely be
>undeliverable and will add to the mail congestion.

Maybe if the congestion problem gets bad enough it'll cause something to
actually be done about providers that are harboring spammers.  Goodbye
Asia.  ;-)

>f) If the reply works then you are likely to get on more spam lists.

Maybe.  Some spammers are using VERPs and the like so that replies to
the sender address cause you to get taken off the list.  Sure, I suspect
some would use a confirmation as an indication that the address is
valid, but I'm just not concerned with trying to stay off the lists.  I
believe that's a futile endevor.

>Of these b) is probably the most serious.  There will be times when
>you need to accept an email from your grandmother even though it looks
>like spam and you won't be able to convince them to ack it.

Ha ha ha.  My grandmother can't set the clock on the microwave.  We've
offered to set her up a computer, but she couldn't be more uninterested.
As far as I can tell, my mother believes that e-mail is a read-only
system.  I've gotten *ONE* e-mail from my mother.  Ever.

Anyway, if they won't ack it, I can whitelist it and future messages
will get through.  I'm not THAT worried about that problem.  I know
there will be continuing shrapnel because some people think that it's
acceptable to send out millions of messages an hour to people all over
the internet to gain a buck.

>This comment leads me to believe you are doing your own TMDA
>implementation.  True of false?  Or connecting the well known
>http://tmda.net with http://spamassassin.org?

I had to build my own.  tmda.net's implementation wasn't designed to
work in an environment like mine.  I finally had to give up on using
TMDA and I rolled my own system that works much better for me.

Sean
-- 
 "Of course," said my grandfather, pulling a gun from his belt as he
 stepped from the Time Machine, "There's no paradox if I shoot YOU!"
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin