You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brent Kennedy <br...@cfl.rr.com> on 2008/08/06 01:41:55 UTC

Receiver Based Spam Scoring

Is there a Linux based equivalent to the abaca system of using spam scores
of people who get the most spam and then judging emails based on that
aggregate number?
 
Brent Kennedy, MCSE, MCDBA, Linux+
Web Developer/Networking and Systems Engineer

Re: Receiver Based Spam Scoring

Posted by Sahil Tandon <sa...@tandon.net>.
Robert - elists <li...@abbacomm.net> wrote:

> Do you use greylisting  at all?
                                              
I do and it works well.  This is not to dispute Michael's claim about 
"smarter" botnets; just offering another experience.
 
> If we may know, what other pre pipe to SA tools do you use?

Not all mail is greylisted before SA; instead, only those messages from 
frequent spammer TLDs, Windows machines (as identified by p0f which is 
not *always* right), client IPs without reverse DNS, and IPs listed on 
more than one R(HS)BL.  Before that, Postfix rejects the following 
(lifted from posts on the mailing list) at EHLO/HELO:

/^\[[[:digit:]\.]*\]$/          REJECT  Literal HELO IPs prohibited.
/\d+([-\.]\d+){3}/              REJECT  Please use your ISP's SMTP server.

The second PCRE, aimed at identifying generic/residential hostnames, 
stops a lot of UCE well before greylisting or SA get involved.
                
-- 
Sahil Tandon <sa...@tandon.net>

RE: Receiver Based Spam Scoring

Posted by Robert - elists <li...@abbacomm.net>.
 

 

now...

spammers have programmed their 'botnets' to send out duplicate spam in 15
min intervals.
all greylisting does is slow things down.

for per user, look at amavisd-new
-- 
Michael Scheidell, President

Michael

 

Do you use greylisting  at all?

 

If we may know, what other pre pipe to SA tools do you use?

 

 

 - rh

Re: Receiver Based Spam Scoring

Posted by Michael Scheidell <sc...@secnap.net>.
Brent Kennedy wrote:
> As far as I know, I cant set per user rules.  I run postfix piped to 
> spamassassin then to an exchange server.  I was thinking more along 
> the lines of a database which applies a rule based on a recipient 
> algorithm. 
>  
> Yesterday I turned on SQLGrey and saw the spam level drop overnight 
> but that isn't going to work for everyone, some people need all their 
> emails right away, but they want filtering and no spam, but don't like 
> pulling emails out of a junk email folder ( ARGH! ).  How long before 
> graylisting doesn't work anymore?
>
now...

spammers have programmed their 'botnets' to send out duplicate spam in 
15 min intervals.
all greylisting does is slow things down.

for per user, look at amavisd-new


-- 
Michael Scheidell, President
Main: 561-999-5000, Office: 561-939-7259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * Everything Channel Hot Product of 2008
    * Shaping Information Security Award 2008
    * CRN Magazine Top 40 Emerging Security Vendors


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________

RE: Receiver Based Spam Scoring

Posted by Brent Kennedy <br...@cfl.rr.com>.
As far as I know, I cant set per user rules.  I run postfix piped to
spamassassin then to an exchange server.  I was thinking more along the
lines of a database which applies a rule based on a recipient algorithm.  
 
Yesterday I turned on SQLGrey and saw the spam level drop overnight but that
isn't going to work for everyone, some people need all their emails right
away, but they want filtering and no spam, but don't like pulling emails out
of a junk email folder ( ARGH! ).  How long before graylisting doesn't work
anymore?

  _____  

From: Michael Scheidell [mailto:scheidell@secnap.net] 
Sent: Thursday, August 07, 2008 3:38 PM
To: Brent Kennedy; users@spamassassin.apache.org
Subject: Re: Receiver Based Spam Scoring


So, the more pissed off a user is that his email is getting blocked, the
more you want to block?

I SORTA understand the (mis-understanding) that recipient based reputation
filtering can do, why not just use a daily (nightly) adjustment of user
based policies, see something like amavisd-new.  Set normal policies for
normal people.  If people gets lots of quarantined spam, lower their spam
score threshold (and quarantine more)

Sounds like it might be a messy feedback loop there.. The more cocaine you
do, the more you want? Something like that?

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer



  _____  


This email has been scanned and certified safe by SpammerTrapR. 
For Information please see www.spammertrap.com

  _____

Re: Receiver Based Spam Scoring

Posted by Michael Scheidell <sc...@secnap.net>.
So, the more pissed off a user is that his email is getting blocked, the
more you want to block?

I SORTA understand the (mis-understanding) that recipient based reputation
filtering can do, why not just use a daily (nightly) adjustment of user
based policies, see something like amavisd-new.  Set normal policies for
normal people.  If people gets lots of quarantined spam, lower their spam
score threshold (and quarantine more)

Sounds like it might be a messy feedback loop there.. The more cocaine you
do, the more you want? Something like that?

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer



_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________