You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Igor Chudov <ic...@Algebra.Com> on 2007/07/21 04:10:18 UTC
Whitelist of my friends -- followup
I have to respectfully disagree with those who say that whitelisting
my friends is a bad idea.
I do realize that spammers use everyone's addresses -- as they are
using mine -- as fake return addresses, just as often as they would
use any other address.
But the chances of them accidentally using an address of my friend
(even is, say, I add 5,000 emails to my whitelist) to send spam to me,
are approximately 5,000 out of 100,000,000 (hypothetical number of
email addresses available for the random return address pool). That
works out to 0.005% chance.
My experience suggests that I never ever received a spam with my
acquaintaince's email in the From: field. Did not happen.
The only possibility of me receiving spam from my friends would be if
they were infected by a virus that exploits their address book, but I
am already running a number of virus filters (clamav and my custom
perl scripts rejecting all EXEs, screensavers and other windows junk).
So, if whitelist_from is scalable to a few thousand addresses, I would
like to use it.
I had a few emails from my friends rejected due to false positives.
i
Re: Include directives in user_prefs was Whitelist of my friends --
followup
Posted by Matt Kettler <mk...@verizon.net>.
Theo Van Dinter wrote:
> On Sat, Jul 21, 2007 at 10:37:01AM -0500, Igor Chudov wrote:
>
>> Can I somehow specify an include directive in my user_prefs file, such
>> as "include my_friends.cf"?
>>
>
> Did you look at "perldoc Mail::SpamAssassin::Conf" ? :)
>
>
To be a bit more specific, yes, that exact option exists and is in the
docs, at least for 3.0.x and higher.
Exact text from the 3.2 docs:
--------------------------------
PREPROCESSING OPTIONS
*include filename*
Include configuration lines from |filename|
<http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#item_filename>.
Relative paths are considered relative to the current configuration
file or user preferences file.
Re: Include directives in user_prefs was Whitelist of my friends -- followup
Posted by Theo Van Dinter <fe...@apache.org>.
On Sat, Jul 21, 2007 at 10:37:01AM -0500, Igor Chudov wrote:
> Can I somehow specify an include directive in my user_prefs file, such
> as "include my_friends.cf"?
Did you look at "perldoc Mail::SpamAssassin::Conf" ? :)
--
Randomly Selected Tagline:
"Cloning and the reprogramming of DNA is the first serious step in
becoming one with God." - Scientist G. Richard Seed
Include directives in user_prefs was Whitelist of my friends -- followup
Posted by Igor Chudov <ic...@Algebra.Com>.
Can I somehow specify an include directive in my user_prefs file, such
as "include my_friends.cf"?
i
Re: Whitelist of my friends -- followup
Posted by Matt Kettler <mk...@verizon.net>.
Theo Van Dinter wrote:
> On Fri, Jul 20, 2007 at 09:10:18PM -0500, Igor Chudov wrote:
>
>> So, if whitelist_from is scalable to a few thousand addresses, I would
>> like to use it.
>>
>
> It probably won't scale that far since it's super inefficient to have a flat
> file config w/ that many entries. You'd want to have some kind of plugin that
> would do a lookup in a database.
>
It's not nearly as bad as you think..
I just used head to grab the first 5 and 20k of sa-blacklist.cf to
create shortened .cf test files.
I crudely tested Using "time spamassaassin -L <test" command line:
plain 3.2.0 (results of 3 runs):
real 0m1.899s 0m1.339s 0m2.192s
user 0m1.756s 0m1.232s 0m2.080s
sys 0m0.132s 0m0.068s 0m0.104s
With the 5k, I can't tell the difference:
real 0m1.996s 0m1.934s 0m1.457s
user 0m1.828s 0m1.796s 0m1.376s
sys 0m0.160s 0m0.136s 0m0.072s
At 20k lines, it starts to be noticeable, but still not that bad unless
you're pushing a lot of email:
real 0m3.109s 0m2.805s 0m2.997s
user 0m2.956s 0m2.692s 0m2.868s
sys 0m0.144s 0m0.104s 0m0.120s
Tested on a fairly bare SA 3.2.0, on an Athlon 64 3200+ with 512mb of
ram, more-or-less nothing else running at the time.
So I still stand by that SA can handle a few thousand of these. It's not
exactly efficient at it, but it's not nearly as horrid as you think.
Unless your box is already on the verge of collapsing under its existing
load, this should be OK.
And to top it off, all these tests included both parsing and scanning
time.. using spamc/spamd would mitigate the time associated with parsing.
Re: Whitelist of my friends -- followup
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Jul 20, 2007 at 09:10:18PM -0500, Igor Chudov wrote:
> So, if whitelist_from is scalable to a few thousand addresses, I would
> like to use it.
It probably won't scale that far since it's super inefficient to have a flat
file config w/ that many entries. You'd want to have some kind of plugin that
would do a lookup in a database.
--
Randomly Selected Tagline:
"What the hell is this? For crying out loud, somebody throw a pie!"
- Peter Griffin on Family Guy
Re: Whitelist of my friends -- followup
Posted by Matt Kettler <mk...@verizon.net>.
Igor Chudov wrote:
> I have to respectfully disagree with those who say that whitelisting
> my friends is a bad idea.
>
I never said that whitelisting your friends is a bad idea. I said
whitelisting based on email address ALONE is a bad idea in general.
It's a lot better to use tools that are more resistant to forgery, such
as whitelist_from_rcvd which matches an email address, AND an email
server, or if your friends have domains with SPF, and you've got the SPF
plugin loaded, whitelist_from_spf is easy (takes just an email address)
and forgery resistant (verifies sending server is in the SPF for the
domain).
Just keep it in mind that where practical, you should use the "better"
tools.
> I do realize that spammers use everyone's addresses -- as they are
> using mine -- as fake return addresses, just as often as they would
> use any other address.
>
> But the chances of them accidentally using an address of my friend
> (even is, say, I add 5,000 emails to my whitelist) to send spam to me,
> are approximately 5,000 out of 100,000,000 (hypothetical number of
> email addresses available for the random return address pool). That
> works out to 0.005% chance.
>
True, the probabilities are much higher for viruses than spam. At least,
until spammers start using bot-miners to research email-acquaintance
relationships, which I'm really surprised they haven't done yet.
> My experience suggests that I never ever received a spam with my
> acquaintaince's email in the From: field. Did not happen.
>
> The only possibility of me receiving spam from my friends would be if
> they were infected by a virus that exploits their address book, but I
> am already running a number of virus filters (clamav and my custom
> perl scripts rejecting all EXEs, screensavers and other windows junk).
>
> So, if whitelist_from is scalable to a few thousand addresses, I would
> like to use it.
>
It should be scalable that far. However, I would not take it up above
20,000 or so. Also be aware that the more you have, the more memory SA
will take up. So if your server is really low on memory, you'll want to
keep it as low as practical.
As a reference sa-blacklist consists of 600,000+ blacklist_from
commands, and will grind most machines to a halt. On my box it adds 295
megs to the size of a spamd instance, and on top of that it makes it
slow as molasses due to the absurd number of rules to test.
> I had a few emails from my friends rejected due to false positives.
>