On 5/20/2019 2:42 AM, Brent Clark wrote:
Good day Guys
Just want to check with the community.
My colleague has proposed that at smtp time, if a mail is deemed as
spam, the server issues a reject code, but then to too accept the
mail and forward the mail the user for incase its a false positive.
This is not possible with the built-in postfix restrictions such as
check_*_access, or postfix rbl lookups.
This is possible for a milter or content_filter. For example, using
amavisd-new, you can set it to reject+quarantine spam, which might
be useful for analysis. Not sure how useful it would be to actually
deliver the spam... keeping it out of the user's mailbox is kinda
the whole point.
If you have more than a very small number of high-scoring false
positives, you should adjust your scoring.
His logic is that, that the spammer does not build up a database.
His logic is flawed.
From the spammer's point of view, there's no difference in
"reject+keep" and just "reject".
This also sounds like advice from 15+ years ago. I've heard the
"spammer database" argument (again just last week!) as an excuse to
discard all spam, and even to discard mail to unknown recipients --
both of which might have once been OK, but are now very bad
ideas[1][2]. Spammers and spam-fighting evolves. Best practice these
days is to reject unwanted mail.
Currently what we do is, if the score is between 5 and 15, just
accept and move the spam to the users SPAM box. Above 15 we out
right block.
I am on the fence on this one, hence the reason to pick the
communities brain.
If anyone can share any thoughts or concerns, please can you share.
Get off the fence and back to safety. This is a bad idea, at least
the deliver to users part of it. Keeping for analysis is OK, but
maybe more trouble than it's worth.
If you're getting more than a tiny tiny amount of false positives
that score 15 or more, you should adjust the offending scores.
[1] Domains that accept (and possibly discard) all mail seem to be
abused by spammers-for-hire, which use them to inflate their
"guaranteed delivery" stats. This wastes your bandwidth and
processing power even if you never actually see the message. So
reject everything you don't want.
[2] The spammers already have your user list, harvested from hacked
web sites and stolen address books, then shared or sold. Dictionary
attacks are far less popular than they once were.
-- Noel Jones
