Re: Random word spams and wiki spams

Sat, 08 Jul 2017 05:34:36 -0700 

On 07/07/2017 02:04 PM, Alex wrote:

Hi,


I ran that message through one of my filters manually:


One of your filters?
Copy/pasted your email into a file and manually ran spamassassin < msg on one of my eight mail filters. 




-0.2 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                             trust
                             [106.186.119.240 listed in list.dnswl.org]
-0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 ENA_RELAY_JP           Relayed through Japan
  2.2 ENA_RELAY_NOT_US       Relayed through country outside of the US


Can't do this - email is received from every country :-(
There still could be some value to adding some (small) points based on the some countries. Legit senders will hit some rules that subtract points for good reputation and low Bayes probability.
Also SHORTCIRCUIT'ing as ham with a long list of trusted senders using whitelist_auth will allow these types of spam to stand out more so you can add more points for some scores that help with zero-hour spam. My list is over 4,000 lines now and growing every week from an automated SQL query run on Sunday morning for the past week's email. Log files could be analyzed to do the same thing based on rule hits and scores from sending domains consistently well below zero. 



I do have the relaycountry plugin, but score is set low, and usually
used in metas.


  1.8 RCVD_DOUBLE_IP_SPAM    Bulk email fingerprint (double IP) found


I'm noticing the ones that were quarantined were quarantined because
of this rule. Unfortunately I don't have the ones that were relayed
because it was too long ago.


I guess I need to setup a wiki page or something similar with all of my
tweaks and tuning to document it all in one place.


This is kind of a policy thing, no? In other words, I find many don't
contribute (despite it being open source) for fear of spammers using
these ideas against us, but the project suffers as a result.

We also have a few local rules, but not sure how helpful they would be
to others, and spammers more specifically. These days I can't imagine
using anything other than postfix, however.
Postfix definitely rocks! It's so flexible. Postscreen is amazing. RBL weighting. Rate limiting built-in. Add greylisting after your postwhite entries and greylisting is not painful at all for end users. Add in OpenDMARC and a few simple SA rules and you have DMARC support in SA. policyd-spf milter. postfwd milter. I can go on and on... 

--
Dave

Reply via email to