[NCLUG] SpamAssassin Testimonials?

Sean Reifschneider jafo at tummy.com
Thu Jul 24 03:09:58 MDT 2003


On Wed, Jul 23, 2003 at 10:19:28PM -0600, Bob Proulx wrote:
>might think it is spam.  But I would like to see a markovian chain
>used instead to find the probability that certain words together such

Yeah, I was playing with something similar to that at one point, but
didn't get too far with it.  It seems more likely to catch things.
"Interest rates rising in FORT COLLINS area", to cite a recent
example...

>as "make money fast" are more likely to be spam.  (And by just
>mentioning these words I wonder how many list members won't ever see
>this message because it will be filed as spam. :-)

Sorry, you only got a 0.1 on my SpamAssassin.

>DCC is better because it makes no claim about spaminess.  All you know
>with DCC is that someone else got the same message as you got.  Which
>is a good indicator for some things like directed email but obviously
>everyone on the mailing list got the same mailing list message.  But

Hmm, I guess I was confusing Razor with DCC.  It's DCC that I used in
the past with success.  Few mailing lists are widely enough distributed
that you'd see hundreds of thousands or millions of hits in DCC for a
mailing list.  Whereas most spam you'd easily see that.

>checks.  Right now all of the rules are frozen and they are tweaking
>scores in preparation for the upcoming SA-2.60 release.  This is a
>cyclic lifecycle of big changes, little changes, freeze and tweak,
>release, repeat.  At his moment things are almost ready for release.

Yeah, I guess I should spend some more time now that I'm getting less
spam trying to see what's getting through, or at least reporting my less
spammy spam for them to look at.  I don't even know if they want to see
that sort of thing.

>Impressively large numbers.  Are you using any RBLs too?  If not then

Yes, definitely using RBLs.  My numbers have changed a bit.  I now have
two confirmations that have been sent to the spampit since Sunday
afternoon.  One was a spammer from Brazil confirming a message, the
other was someone mailing me personally from a DUL.

Current numbers for blocking/allowing are 6638 and 2585.

Running those numbers, on average between the 4 of us at tummy.com,
if we weren't using something that did a good job filtering spam, we'd
have to deal with a spam on average of once every 45 seconds, night,
days, and weekends.

>I also use bl.spamcop.net which lists reported UBE.  Historically

bl.spamcop.net is listed as being not production ready, and they have
pretty serious problems with helping people get off their lists.  One of
our clients has been on them repeatedly this last week, and the best
SpamCop can do to help track down what sort of message is triggering
this listing is to send *ONE* received line from *ONE* message, heavily
edited, with no listed timezone, IIRC.  Totally worthless.

>Here is last weeks stats of mail blocked using these on my server.
>Also, order matters.  The first one in the list that matches stops
>searching through the rest of the list.  Looking at this I should
>reorder my checks.
>
>     14 relays.ordb.org
>    948 bl.spamcop.net
>     65 list.dsbl.org
>     52 relays.osirusoft.com

You aren't using SpamAssassin to check the RBLs?  SA fires off all the
checks at the same time, but uses a sliding window for the number of
responses it will wait for before continuing on.  If it has 90% of the
responses back, it will give up after a second.  If it only has 50% of
the responses, it will keep listening for 15 seconds.  That sort of
thing...

>I disagree.  But it all depends upon your attitude toward email.  If
>you count it as opportunistic only then you only lose out on the
>opportunity and no big deal.  But if you count on it for more than
>that then you are still out the message.

My attitude is that I want to communicate with everyone who is
corresponding with me.  Even the ones just asking "I saw your page,
here's something that's only superficially related to what you are doing,
why isn't it working?"  :-)  However, I just have to draw the line
somwhere.  I'm willing to draw that line a bit further away, if they
have the opportunity, in most cases, to get immediate feedback and
correct the problem.

>Actually the problem is a list message will look spammy, the TMDA will
>send a confirmation message to the mailing list, everyone on the list
>will gripe about it.  It is at least as bad as sending "testing,
>ignore" messages to mailing lists.

If your TMDA is sending not sending to the envelope sender, or your
mailing list is using the submission address as the envelope sender,
then you probably have bigger problems than TMDA on the list...

>But the congestion will be on your mail servers.  If you can actually
>get back to the spammer I am surprised.

Hey, if my mail server can work a little harder to prevent me from
having to deal with some spam, I'm not going to complain.  It's not like
I have to save up cycles like they're water or anything...  If I don't
use those cycles now, they're wasted forever.  I can never make use of
them again.

My time is expensive, cycles on my mail server are cheap.

>of the same magic image.  Tragicomically the image was configured as
>an open relay.  Which meant there were a few thousand open relays all
>identical and easy to find.

Yep.  And they've been SO quick to move to fix them...  Remember when
EVERY mail server on the net was an open relay?  Most of us learned back
in the <gasp> mid '90s that we could no longer do that.  These people
apparently need some more education.

>I suggested that myself once on one of the spam discussion lists.  The
>general consensus, after the hysterical laughter died out, was that
>spammers never take anyone off of their lists.  I think I agree since

Some spammers don't.  Some spammers definitely do.  I *HAVE* seen VERPs
in spam I've received, some that even didn't bounce when a message was
sent to them.

Sean
-- 
 Let's just say that their monkeys aren't quite typing Shakespeare.
   -- Sean Reifschneider, speaking about Quicken support, 2001
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin



More information about the NCLUG mailing list