> -----Original Message-----
> From: jdow [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 15, 2005 8:55 AM
> To: users@spamassassin.apache.org
> Subject: Re: filter for subjects
>
> 1) You can use SARE rules to increase scores for words like viagra.
> 2) You cannot under any circumstance have SpamAssassin not pass mail
> on to the next delivery step. It is possible to have the next
> delivery step drop the mail into /dev/null.
> 3) It is not wise to get too frantic and drop things just because they
> say "Adobe". Some might be legitimate. (That is not a
> usual spam word
> here, at least.)
Agreeing and elaborating on this and some of the
other sugguestions...
SA drops NOTHING -- SA scores the spam or ham so
that THE ADMINISTRATOR or USER can decide what to do with
it. Such decisions belong to the administrator and
the recipient of the email.
Some admins send the mail through leaving the entire
decision to the User/recipient and some use various
criteria to reject, bounce (generally bad these days),
or save (some) of the likely spam for review.
We bounce nothing, but we do reject using SpamAssassin
this way using Exim MTA (other MTA can do something
similar):
1) All "spam" is held for review (we have spam
down to such a small amount this is easy)
if it passes the next step.
2) If the score meets a "superspam" threshold
we use an Exim ACL (during Data time before
the email is accepted) to check subjects and
a few other such criteria (sender etc.)
Since SA has already marked the email as
seriously likely to be spam these checks
can be a bit looser than they would be if
the message were random.
Using the Adobe-subject example above: If the message
contains 2 of: Microsoft Adobe Macromedia Corel AND
is SuperSpam it is droppabable but this wouldn't be
possible if a legitimate news message subject had
something like "Adobe sues Microsoft" or "Corel partners
with Macromedia". (This is just an example and a more
conservative filter could say, "three of" these words
but that is up to the admin etc.)
Our spam went down to almost nothing by using Greylisting
in a reduced manner: We avoid almost all of the problems
associated with Greylisting by only using it for messages
that are already 'suspicious' (i.e., things many people
will use to REFUSE mail, are used by our Exim ACLs to drive
the message through Greylisting. 93% of these message
are never re-tried. So far no good mail has been identified
as being dropped and practically no real mail is even delayed.
['Suspicion' Checks include: Header checks, valid reverse,
valid Helo vs. reverse host name, SPF, dynamic host name
or certain country code patterns, and membership on blacklists,
including some very agressive lists since no list can actually
block the email.]
SpamAssassin never sees mail unless the other checks including
greylisting of suspicious messages pass them through.
If a message passes to SpamAssassin and is checked against
the "simple subject etc. filters" and not dropped it is STILL
driven through Greylisting if that has not already been done for
this message's Helo/From/To triplet.
This defense in depth is knocking spam down to a trickle
AT THE SERVER, and practically nothing* is getting through
to users with no complaints of missing mail or evidence of
such in the logs.
We are still manually reviewing the Spam trapped at the
server.
Nothing bounces. Very little spam is ever accepted.
And 95% of the Spam we trap is scores above 25 points.
Almost none is scored below 15 points.
We have practically none in the "trough" between Spam
and Ham -- it is all classifying cleanly which really
lets SpamAssassin shine.
--
Herb Martin
