On Fri, 19 Jun 2020, micah anderson wrote:
John Hardin <[email protected]> writes:
On Fri, 19 Jun 2020, micah anderson wrote:
So, what can I do to tweak these rules to score things up more,
specifically the rules that provide a low false positive rate[1]. This
seems something that should be done programmatically, and not
manually. It seems like what 'masscheck' maybe does generically for all
rules for all installations, but can I use that to just adjust our rules
for our particular breed of spam that comes through?
How about: analyze your spamtrap for recent source IP addresses on a
quick schedule (hourly?) and drive a local DNSBL from IPs seen more than
2-3 times in the last 24-48 hours?
Interesting possibility... but if I look at the current batch that made
it through, I see:
1. amazon aws
2. gmail (amusingly saying my amazon prime membership is going to
expire)
3. mailchimp
4. yahoo.com
all of those would not be good to block :(
Amazon AWS if not using a "real" (non-AWS) domain name might be safe to
reject - there's been some discussion about that on the list lately.
Its not always like that, but it does happen.
Hm. Perhaps you'd need whitelists too, to avoid some known mixed sources.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I’ve seen firsthand how an ideological hatred of guns and the
people who own them is more important to some people than the
actual goal of saving lives.
-- Dan Gross, former president of the Brady Campaign
-----------------------------------------------------------------------
138 days until the Presidential Election
