[Esd-l] Spam Filtering

Howard Lowndes lannet at lannet.com.au
Wed Jul 31 03:19:01 PDT 2002 

On Wed, 31 Jul 2002, Bill Larson wrote:

> Simple spam control with few very few false positives.

Except that each line involved a DNS lookup for each source address in the
email header, and that does nothing for the performance of your MTA.

Add to that the aggressiveness of RBLs such as SPEWS where you can get
malicious false positives, and I question the usefullness of so many RBLs.

>
> FEATURE(`dnsbl', `blackhole.compu.net')dnl
> FEATURE(`dnsbl', `list.dsbl.org')dnl
> FEATURE(`dnsbl', `opm.blitzed.org')dnl
> FEATURE(`dnsbl', `dun.dnsrbl.net',`dnsrbl refused - Dialup address use your
> local mailserver')dnl
> FEATURE(`dnsbl', `Dialups.relays.OsiruSoft.com',`osirusoft refused - Dialup
> address use your local mailserver')dnl
> FEATURE(`dnsbl', `bl.spamcop.net')dnl
> FEATURE(`dnsbl', `inputs.relays.osirusoft.com')dnl
> FEATURE(`dnsbl', `relays.ordb.org')dnl
> FEATURE(`dnsbl', `Spamsites.relays.OsiruSoft.com')dnl
> FEATURE(`dnsbl', `Spamhaus.relays.OsiruSoft.com')dnl
> FEATURE(`dnsbl', `Spews.relays.OsiruSoft.com')dnl
> FEATURE(`dnsbl', `flowgoaway.com')dnl
> FEATURE(`dnsbl', `pm0-no-more.compu.net')dnl
> FEATURE(`dnsbl', `blackholes.intersil.net')dnl
>
> Statistics from Sat Jul 27 23:39:06 2002
>  M   msgsfr  bytes_from   msgsto    bytes_to  msgsrej msgsdis  Mailer
>  4    16,286     331,691K      3,474     20,5802K      259       0
> esmtp
>  9     5,312      212,449K    19,954     436,020K      509       0
> local
> =============================================================
>  T    21,598     544,140K    23,428    64,1822K      768       0
>  C    21,598                         23,428                     32,812
>
> So I have rejected 33,812 spamming attempts roughly 42% of the connections
> to the server using the above methods only in 4 days. Doing this I average
> 1-2 spams per day while without this I would average 50 plus to my personal
> mail box. I get approx 1 user complaint/comment every 3 months from the
> several thousand users on this box. blackhole.compu.net is where i add those
> spam that slip though the other blackhole lists.
>
> Bill Larson
> Network Administrator
> Compu-Net Enterprises
>
> ----- Original Message -----
> From: "Peter Hanecak" <hanecak at megaloman.com>
> To: "Eric Brosius" <ebrosius at sunyorange.edu>
> Cc: <esd-l at spconnect.com>
> Sent: Wednesday, July 31, 2002 2:35 AM
> Subject: Re: [Esd-l] Spam Filtering
>
>
> > Hello,
> >
> > On Tue, 30 Jul 2002, Eric Brosius wrote:
> >
> > > As are most admins, we're getting a little sick of all the spam floating
> > > around the internet.  I've read though past emails and I'm going to look
> > > into the links on procmail's website.  But I'm curious to hear what most
> > > of you are doing to block 'unwantable' words in the subject and/or body
> > > of messages.  What works best?  Does the sanitizer do it?  What is
> > > everyone doing about it??  Thanks for sharing the knowledge.
> >
> > I'm using set simple procmail rules and sendmail's access file to help me
> > with SPAM:
> >
> > 1) "for sure" rules: those rules (I hope) are (and have to be) 100%
> > without false-positives; they do not catch every SPAM but catch most of
> > it; (note: I'm not sorting any messages to /dev/null so there is no
> > possibility of losing something and also to have some statistics)
> >
> > example:
> >
> > # some SPAM hase "To" filed set to addresses like
> > # Undisclosed.Recipients at our.gateway.com so I know for
> > # sure that this is some "To" faking in progress and
> > # message is SPAM, scum or something along that line
> > :0:
> > * ^To.*(Undisclosed.Recipients|Money.in.Motion)@our.gateway.com
> > mail/spam`date +%y`
> >
> >
> > 2) "almost 100% accuracy" rules: those rules are trying to catch SPAM and
> > mostly SPAM but I'm aware that some legitimate messages can be catched by
> > those rules (even if possibility is 1:1000); those rules filter messages
> > to something I can call SPAM quarantine and I'm looking at this quarantine
> > once a day
> >
> > example:
> >
> > # set of rules which catches messages not directed to me - I'm
> > # ommiting them while there are quite a lot of them like:
> > # :0:
> > # * ^TO_.*hanecak at megaloman.com
> > # mail/spam-quarantine
> > # false-positives are messages, which are BCCied to me
> >
> > # rule to catch those quite "polite" senders of
> > # unwanted advertisment
> > :0:
> > * ^Subject.*ADV\:
> > mail/_spam
> >
> >
> > 3) rest is sorted as "every mailing list has its folder" and rest goes to
> > INBOX
> >
> > 4) notorious junk senders are placed in sendmail's access file with
> > "ERROR:550 Spammers are banned from our site" and (if that control is
> > effective) messages from then are not delivered to me (and
> > colegues) anymore
> >
> >
> > In that way it goes like this (applies to this year):
> >
> > 1) I received 3340 unwanted junk messages this year (compare to
> > 1944 junk messages last year!)
> >
> > 2) about 6-7 (but sometimes even 20) daily of that is filtered to
> > spam-quarantine which I quickly scan for false-positives and rest
> > move to spam`date +%y`
> >
> > 3) about 2-4 per week of that make it to my INBOX
> >
> > 4) about 20 messages per week are catched by sendmail's access
> > file so they are not received
> >
> >
> > Such system is not that complicated (no AI, no score based filtering, ...,
> > ...), has some weak points but make it possible for me to work with
> e-mail.
> >
> >
> > So now I will enjoy hearing about this from others! :)
> >
> >
> > Sincerely
> >
> > Peter
> >
> > --
> > ===================================================================
> >   Peter Hanecak <hanecak at megaloman.com>
> >   GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
> > ===================================================================
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>

-- 
Howard.
LANNet Computing Associates - Your Linux people
Contact detail at http://www.lannetlinux.com
"I tried having cybersex once, but I kept getting a busy signal."
 - You've Got Mail

More information about the esd-l mailing list