I'd like to get some people to take an idea that I'm been using
successfully for a long time that I would like to see implemented in SA.
I'm doing it mostly with Exim rules and generating these lists in some
unusual ways. But if this were done right it would make SA a lot faster
and more accurate.
Here's a link to and overview of my lists:
http://wiki.ctyme.com/index.php/Spam_DNS_Lists
But - ultimately my lists would be replaced by a more massive public
list that would be done better than what I started. I'd like a plugin
written or someone who understands the rules better than me to build on
these ideas. What I have is my hostkarma list which returns different
code depending on the reputation of the sending host.
Before you look at this as just another blacklist - the real power is in
the white and yellow lists. First - an overview. My list returns these
codes:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam and nonspam
* 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist
The idea here is that white short circuit to HAM and could be
autolearned. Yellow is for mixed source hosts like Hotmail, Yahoo, etc
that should never be blacklisted. This is important because if a host is
yellow listed then you skip all blacklist tests and move on to other
tests. This will allow you to avoid testing to see if Yahoo hosts are
blacklisted. Brown listing is a host not bad enough to be blacklisted
but still worth a point ot so.
My list has about 275k black, 300k brown, 20k yellow, and 6k white. So I
have some useful data. Here's some rules to use it now but I'd like to
see someone smarter than me improve these to do it right.
header __RCVD_IN_JMFILTER
eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMFILTER Sender listed in JMFILTER
tflags __RCVD_IN_JMFILTER net
header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1')
describe RCVD_IN_JMFILTER_W Sender listed in JMFILTER-WHITE
tflags RCVD_IN_JMFILTER_W net nice
score RCVD_IN_JMFILTER_W -5
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.2')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BLACK
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 4.0
header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.4')
describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BROWN
tflags RCVD_IN_JMFILTER_B net
score RCVD_IN_JMFILTER_B 1.0
What it needs is if it's white then we short circuit to call it ham and
skip other tests. The white list is very accurate and it's not hard to
get a good whitelist. The yellow list is also very good. The idea here
is to stop all other blacklist tests after a yellow list. I don't know
how to do that in SA.
Then - like the black lists - these lists can be enhanced by people
sharper than me. And instead of me hosting it someone can do it right,
or better than me.
So - the point - this works for me - lets make it better. Who's interested?
