From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 17:08:05 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BACE516A4CE for ; Wed, 5 Jan 2005 17:08:05 +0000 (GMT) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3276C43D46 for ; Wed, 5 Jan 2005 17:08:05 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from keyslapper.org ([68.163.177.192]) by out009.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20050105170804.ZXLY24088.out009.verizon.net@keyslapper.org> for ; Wed, 5 Jan 2005 11:08:04 -0600 Received: from localhost (localhost [127.0.0.1]) by keyslapper.org (Postfix) with ESMTP id B1E7611C8B for ; Wed, 5 Jan 2005 12:08:03 -0500 (EST) Received: from keyslapper.org ([127.0.0.1]) by localhost (keyslapper.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14690-01 for ; Wed, 5 Jan 2005 12:08:03 -0500 (EST) Received: by keyslapper.org (Postfix, from userid 1001) id 102FB11C6E; Wed, 5 Jan 2005 12:08:03 -0500 (EST) Date: Wed, 5 Jan 2005 12:08:03 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org Message-ID: <20050105170802.GB4043@keyslapper.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <20050104170920.GD94265@keyslapper.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.6i X-Virus-Scanned: amavisd-new at keyslapper.org X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [68.163.177.192] at Wed, 5 Jan 2005 11:08:04 -0600 Subject: Re: SpamAssassin-Milter accuracy... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 17:08:05 -0000 On 01/04/05 08:59 PM, Ted Mittelstaedt sat at the `puter and typed: > > > > > The only problem with doing this is that you have to completely > receive the e-mail message before SA can check it against the > blacklists. > > We do the blacklist checks at the MTA level and turn them off in SA. > As a result the e-mail is never accepted by the server if it's in a > blacklist. As a result of that if the spam is coming from a > compromised mailserver then that mailserver will just requeue the > message. And with everyone on the Internet doing this, it will make > the compromised mailserver melt down immediately, which will punish > the admin of it for running an open mailserver in the first place. Whether this is the "Right Thing To Do" may be debatable, but I think you leave yourself open to rejecting legitimate email on the word of an overzealous blacklister. I read somewhere recently that some lists had been known to blacklist servers simply because their admin was critical of their listing criteria. This is third hand, of course, but you have to accept that blacklists have been compiled with very objective criteria, and usually by overzealous anti-spammers. Even those that have automated criteria often rely on unconfirmed reports to blacklist an IP. Believe me, I'm all for thumping the spammers - and I mean hard. I was giddy when I read the story on the little ISP that was awarded $1 Billion from a spammer that kept their network on its knees for months. Still, it's probably not a good thing to run over innocent pedestrians to get them. I know an open relay isn't necessarily an innocent pedestrian - more like a careless admin, but they're still being victimized by the spammer too. Not to say you shouldn't reject spam, but there are more reliable ways, like amavis-new, which will check the message through SpamAssassin, and reject at the MTA it if the threshold is high enough. It may be a little more load on your MTA, but you're rejecting email because it's spam, not because someone has blackballed the originator. That message still gets requeued on the relay, so the effect is still an overloaded server. I tried Amavis-new for SA checks at one point, and it works very nicely. I turned the spam checking off because I didn't like that it was using global configs and preferences - I prefer per-user settings because my mother and wife are signed up for mailings that set off a lot of SA flags. My Bayes DB is much better trained than theirs, and I've got my threshold much lower (I use 2.0 with maybe 1 FP & < 20 FNs per 100,000 messages). Not to say you can't rescan, or just resort based on the score assigned through amavisd, but I'm more inclined to put it aside and make darn sure it's spam myself. So Amavis scans email through the virus tools and leaves Spam checking to Procmail and SA. > > I do use the blackholes (check http://blackholes.us) at the MTA, > > since rejecting mail outright from Asian (and a few African) > > countries has reduced my spam intake by about 80%, without > > reducing my legitimate mail by a single message. Since I'm not > > running a service for other people, and I carefully choose the > > blackhole domains I use, it's not a problem for me. Of course, > > that may not be an option for you. Someday I'll stop this > > practice, but for now some of my doors are just plain closed. > > > > We don't use blackholes.us although I'll take a look at it. About > 50% of our incoming spam is blocked by the blacklist servers we do > use. I like the blackholes. They have the upside of qualifying simply by their country of origin. They also have the downside of qualifying simply because of their country of origin. If you use them, you can be fairly certain that you are only refusing connections - all connections - from the country you intended. The criteria is much more concrete than the blacklists, and the lists are much more stable. As I mentioned, I don't have acquaintances and don't do business with anyone in Asia, so I feel fine simply not accepting email from the biggest source of my spam. When I turned them back on with my new server, my spam instantly went down by 75%. That's after using them on my domains for over 2 years, and running my new server without them for a few weeks. Had I kept them off longer, I have no doubt the stream would have increased - when I turned them on 2 years ago, my spam went down by almost 95% in a matter of minutes, and over the years the stream of rejects has diminished slowly. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ White dwarf seeks red giant for binary relationship.