Re: Rules to match ASes

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


David Cantrell writes:
> I already block mail from a rather large number of IPs before mail even
> reaches spamassassin, but have recently been thinking about blocking
> ASes instead of IPs.  That way, when $spamming_scum gets a new netblock
> they're automagically blocked without me having to add it to a long
> list.
> 
> I thought it might be useful for spamassassin to be able to do this too.
> A quick look through the archives and the current sources shows nothing
> relevant.
> 
> I found this:
>   http://zgp.org/linux-elitists/20040119143450.GF10939@ix.netcom.com.html
> which gives a bit of background info on why this might be useful, and
> ways of getting at the necessary data.

It does look very interesting.  I'd be keen to see results ;)
I wonder what we could use this for -- Bayes tokens?

One thing -- I have a feeling that senderbase may provide a way
to get AS numbers...

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAfXiEQTcbUG5Y7woRApMJAJ92nOikBAYCB/FbYLqYf60/QckBVACfYlhd
zrr7xLFOWpsYlzGchS/hnoU=
=dPpf
-----END PGP SIGNATURE-----

Re: Rules to match ASes

[David Cantrell <da...@cantrell.org.uk>]

Justin Mason wrote:
> David Cantrell writes:
>>I already block mail from a rather large number of IPs before mail even
>>reaches spamassassin, but have recently been thinking about blocking
>>ASes instead of IPs.
 >>
>>I found this:
>>  http://zgp.org/linux-elitists/20040119143450.GF10939@ix.netcom.com.html
>>which gives a bit of background info on why this might be useful, and
>>ways of getting at the necessary data.
> It does look very interesting.  I'd be keen to see results ;)

Analysing a few hours worth of spam (from before I started aggressively 
filtering by IP) with a hokey shell script spits out lots of Chinese and 
Korean ASes, plus Roadrunner, SBC, PSINET, Rogers Cable, Verio - the 
usual suspects.  My script was too crude to produce reliable numbers.

> I wonder what we could use this for -- Bayes tokens?

I am very conservative about my mail handling, and I don't think I trust 
Bayes enough for this yet.  When Bayes misclassifies as spam stuff from 
a message body the damage is minor.  If Bayes misclassified an AS, mail 
from huge chunks of the internet could be affected, regardless of 
content.  Which would be bad.

-- 
David Cantrell | http://www.cantrell.org.uk/david

    Educating this luser would be something to frustrate even the
    unflappable Yoda and make him jam a lightsaber up his arse
    while screaming "praise evil, the Dark Side is your friend!".
                               -- Derek Balling, in the Monastery

Re: Rules to match ASes

[Daniel Quinlan <qu...@pathname.com>]

Sidney Markowitz <si...@sidney.com> writes:

> I noticed that in the article he says that he did not check ham 
> percentages. It's hard to evaluate it just on the basis of spam hits 
> without any S/O numbers.

It also might be a more interesting technique for SBL (if they're not
already doing it) than for us.

Daniel

-- 
Daniel Quinlan                     anti-spam (SpamAssassin), Linux,
http://www.pathname.com/~quinlan/    and open source consulting

Re: Rules to match ASes

[Sidney Markowitz <si...@sidney.com>]

Justin Mason wrote:
> It does look very interesting. I'd be keen to see results ;)

I noticed that in the article he says that he did not check ham 
percentages. It's hard to evaluate it just on the basis of spam hits 
without any S/O numbers.

  -- sidney