i agree with you, particularly now that i've counted that (off hours)
2/3 of the mail being delivered to a company whose firewalls i manage
was graded as spam by sa. at the point we needed to add an extra
machine purely for spam assassin, i decided to get serious about blocking,
which i'd previously done using obtuse smtpd in a much more ad-hoc way.
in my client's environment, postfix/amavisd/sa in a sizeable business, i
generally prefer to do it locally, based mostly on a static database
of envelope from rather than on blackhole lists of ip addresses,
(particularly those that list entire isps such as verio as hole-worthy.)
now, i wish i could figure out a way to hack postfix to do a blackhole
lookup *only* for certain from addresses (e.g. yahoo, hotmail, aol).
i have a static list of domains in /etc/postfix/access which are
blacklisted, no smtp connections taken from those domains.
this list was generated somewhat painfully:
i've hacked pflogsumm to look through both the postfix logs and the
amavis logs of spamassassin traffic, and can see what sites are highly
spammy. then i manually add them to the no access list.
plus i have spamtrap mailboxes -- years ago departed employees, malformed
email addresses that somehow got harvested from web pages, etc... anything
to them is almost certainly spam. i manually add these to the no access list,
although i've found that around 75% of them are detectable from a few days
of pflogsumm+sa log data.
i log several days of spam in quarantine folders and inspect the content
before adding a site to the list.
in general, i don't block access to any site which is opt-in and takes
their bounces, even those that are just a joke plus daily advertising.
happy to provide the blocking list to anyone who wants to start with
such, by direct email request, no warranty of accuracy or suitability
for your purpose expressed or implied.
btw, here's an example of a bit of daily report from pflogsumm.
it shows, for example, on one mail exchanger, that i now reject
more mail than i accept, and during the night, i reject more than
twice the mail i accept.
the received numbers are 3*inflated, because of the multiple deliveries
involved due to relaying through amavisd and to an inside mail hub machine.
messages
19516 received (including internally)
6967 delivered
6827 inspected for spam
1578 graded as spam
6958 forwarded
27 deferred (29 deferrals)
0 bounced
7535 rejected
391636k bytes received
269373k bytes delivered
4127 senders
2026 sending hosts/domains
1103 recipients
7 recipient hosts/domains
Per-Hour Traffic Summary
time received delivered deferred bounced rejected
--------------------------------------------------------------------
0000-0100 578 137 0 0 340
0100-0200 578 163 1 0 259
0200-0300 512 164 0 0 322
0300-0400 651 144 1 0 387
0400-0500 507 138 1 0 276
0500-0600 544 161 0 0 263
0600-0700 573 199 0 0 282
0700-0800 546 138 0 0 300
0800-0900 661 241 0 0 266
0900-1000 887 344 0 0 299
1000-1100 1146 525 1 0 308
1100-1200 1394 569 2 0 421
1200-1300 1234 546 6 0 316
1300-1400 1091 402 5 0 374
1400-1500 1228 477 3 0 332
1500-1600 1089 450 2 0 258
1600-1700 1177 488 0 0 311
1700-1800 1034 360 2 0 399
1800-1900 852 269 0 0 396
1900-2000 745 223 3 0 353
2000-2100 668 225 0 0 291
2100-2200 650 207 0 0 278
2200-2300 615 185 1 0 278
2300-2400 556 212 1 0 226
Host/Domain Summary: Messages Received
msg cnt spam cnt bytes host/domain
-------- -------- ------- -----------
539 46 17413k aol.com
408 310 1993k boing.topica.com
404 148 5466k yahoo.com
351 20 3520k returns.groups.yahoo.com
283 74 1505k hotmail.com
144 46 1062k reply.yahoo.com
136 0 7525k from=<>
102 0 1867k ms1.lga2.nytimes.com
96 0 4416k info.aa.com
93 90 4251k sbcglobal.net
84 30 1674k msn.com
74 50 759k bounce.exactis.com
72 66 2758k www.weathernewsletter.com
68 22 933k dlbdirect.com
65 62 2994k bounce.e-dialog.com
50 0 600k lists.peertopeer.org
46 0 5048k jonesday.com
44 14 365862 marketwatchmail.com
42 0 1609k comcast.net
etc.
On Wed, Oct 02, 2002 at 09:50:23AM -0800, Rossz Vamos-Wentworth wrote:
> I've always considered filtering spam as the last resort. I prefer
> blocking at the mta if at all possible. Here's a useful resource:
> http://www.blackholes.us/
>
> Rossz
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
