You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Henrik K <he...@hege.li> on 2008/03/21 13:39:59 UTC
FreeMail plugin
Hello,
I updated my FreeMail plugin with a big list of domains
(http://www.rhyolite.com/anti-spam/freemail.html).
Try it out:
http://sa.hege.li/FreeMail.pm
http://sa.hege.li/FreeMail.cf
Pretty good hit ratio here, especially when you add some extra scores like
FREEMAIL_FROM && DCC_CHECK etc. All that freemail spam is annoying as it
can't be blocked directly at MTA (RBLs etc).
Cheers,
Henrik
Re: FreeMail plugin
Posted by Marc Perkel <ma...@perkel.com>.
Henrik K wrote:
> Hello,
>
> I updated my FreeMail plugin with a big list of domains
> (http://www.rhyolite.com/anti-spam/freemail.html).
>
> Try it out:
>
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
>
> Pretty good hit ratio here, especially when you add some extra scores like
> FREEMAIL_FROM && DCC_CHECK etc. All that freemail spam is annoying as it
> can't be blocked directly at MTA (RBLs etc).
>
> Cheers,
> Henrik
>
>
That is an impressive list of freemail domains. Good job!!!!! This will
be very useful.
Re: FreeMail plugin
Posted by mouss <mo...@netoyen.net>.
Marc Perkel wrote:
>
>
> Henrik K wrote:
>> Hello,
>>
>> I updated my FreeMail plugin with a big list of domains
>> (http://www.rhyolite.com/anti-spam/freemail.html).
>>
>> Try it out:
>>
>> http://sa.hege.li/FreeMail.pm
>> http://sa.hege.li/FreeMail.cf
>>
>> Pretty good hit ratio here, especially when you add some extra scores
>> like
>> FREEMAIL_FROM && DCC_CHECK etc. All that freemail spam is annoying as it
>> can't be blocked directly at MTA (RBLs etc).
>>
>> Cheers,
>> Henrik
>>
>>
>
> I have a suggestion for your freemail plugin. I don't know if you can
> do this but if you can I want to see how.
>
> First look at the last received and verify that it is genuine.
> (Forward Confirmed rDNS). If it is then check the freemail list and if
> you have a match it means it came from a freemail server.
>
> If the message came from a freemail server then there's no reason to
> check the IP address in any blacklist lookups because freemail server
> are neither black nor white and the IP address has no useful
> information. Thus all other IP tests can be skipped. This will not
> only cut system load but also false positives. No sense in checking
> the blacklists if you already know it's from a yahoo server.
This is more related to DNSWL.
Besides, since SA uses scores, there is no reason to skip DNSBLs for any
client. if a freemail server lately sent a lot of spam, some DNSBL may
list it, and this will result in some points, which is realistic.
>
> Similarrly lets build a white list of domains (again Forward Confirmed
> rDNS) that send no spam at all and can be instantly whitelisted.
>
should be an RHSWL.
> I'm doing something similar with Exim rules, but I need a bigger list.
>
This is a different thing.
Re: FreeMail plugin
Posted by Henrik K <he...@hege.li>.
On Mon, Mar 24, 2008 at 09:19:19AM -0700, Marc Perkel wrote:
>
> I have a suggestion for your freemail plugin. I don't know if you can do
> this but if you can I want to see how.
>
> First look at the last received and verify that it is genuine. (Forward
> Confirmed rDNS). If it is then check the freemail list and if you have a
> match it means it came from a freemail server.
>
> If the message came from a freemail server then there's no reason to
> check the IP address in any blacklist lookups because freemail server
> are neither black nor white and the IP address has no useful
> information. Thus all other IP tests can be skipped. This will not only
> cut system load but also false positives. No sense in checking the
> blacklists if you already know it's from a yahoo server.
There isn't really any way to control DNS lookups from a plugin. They are
already fired before the plugin is run. What you are suggesting has really
nothing to do with me.
Furthermore, some webmails record sender IPs as a Received header, and that
will result in good matches.
Perhaps in some cases it would be nice to have a "trusted_domains" config,
which would disable every RBL check when first relay matches that. Maybe you
should open a bug entry for that.
Re: FreeMail plugin
Posted by Marc Perkel <ma...@perkel.com>.
Henrik K wrote:
> Hello,
>
> I updated my FreeMail plugin with a big list of domains
> (http://www.rhyolite.com/anti-spam/freemail.html).
>
> Try it out:
>
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
>
> Pretty good hit ratio here, especially when you add some extra scores like
> FREEMAIL_FROM && DCC_CHECK etc. All that freemail spam is annoying as it
> can't be blocked directly at MTA (RBLs etc).
>
> Cheers,
> Henrik
>
>
I have a suggestion for your freemail plugin. I don't know if you can do
this but if you can I want to see how.
First look at the last received and verify that it is genuine. (Forward
Confirmed rDNS). If it is then check the freemail list and if you have a
match it means it came from a freemail server.
If the message came from a freemail server then there's no reason to
check the IP address in any blacklist lookups because freemail server
are neither black nor white and the IP address has no useful
information. Thus all other IP tests can be skipped. This will not only
cut system load but also false positives. No sense in checking the
blacklists if you already know it's from a yahoo server.
Similarrly lets build a white list of domains (again Forward Confirmed
rDNS) that send no spam at all and can be instantly whitelisted.
I'm doing something similar with Exim rules, but I need a bigger list.
Re: FreeMail plugin
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Tue, 2008-08-26 at 11:15 -0500, Larry Nedry wrote:
> Below are the FreeMail stats from the last 10,000 messages processed
> by SA.
Are these scores based on hand-sorted spam/ham? Or is %OFHAM because
this is the only test that hit?
FREEMAIL_FROM is by nature a pretty week sign. FREEMAIL_REPLYTO is
generally much more reliable.
> ----------------------------------------------------------
> RANK RULE NAME SPAM HAM %OFSPAM %OFHAM
> ----------------------------------------------------------
> 157 FREEMAIL_FROM 159 591 3.35 11.65
> 222 FREEMAIL_REPLYTO 64 35 1.35 0.69
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: FreeMail plugin
Posted by Henrik K <he...@hege.li>.
On Tue, Aug 26, 2008 at 11:15:32AM -0500, Larry Nedry wrote:
> On 3/21/08 at 4:59 PM +0200 Henrik K wrote:
> >Hehe, yeah it should be ok. Let me know if you spot any false FPs with
> >REPLYTO..
>
> I recently installed the FreeMail 1.10 SA plugin and am getting a
> ridiculous number of FPs. I haven't installed Regexp::Assemble but that
> shouldn't make any difference in accuracy. Below are the FreeMail stats
> from the last 10,000 messages processed by SA.
>
> Any thoughts?
>
> Nedry
>
> ----------------------------------------------------------
> RANK RULE NAME SPAM HAM %OFSPAM %OFHAM
> ----------------------------------------------------------
> 157 FREEMAIL_FROM 159 591 3.35 11.65
Nothing strange about that. It does what it's supposed to. :)
> 222 FREEMAIL_REPLYTO 64 35 1.35 0.69
My last 64k messages say 94 ham, 11 spammy, 1309 spam. You need to have a
look at your messages. The reason might even be that you don't have good
enough other rules to push such spam over the limit, so it appears to be in
the ham category.. your statistics need a "spammy" category (for example
scores 3-4.9).
Re: FreeMail plugin
Posted by Larry Nedry <sp...@bluestreak.net>.
On 3/21/08 at 4:59 PM +0200 Henrik K wrote:
>Hehe, yeah it should be ok. Let me know if you spot any false FPs with
>REPLYTO..
I recently installed the FreeMail 1.10 SA plugin and am getting a
ridiculous number of FPs. I haven't installed Regexp::Assemble but that
shouldn't make any difference in accuracy. Below are the FreeMail stats
from the last 10,000 messages processed by SA.
Any thoughts?
Nedry
----------------------------------------------------------
RANK RULE NAME SPAM HAM %OFSPAM %OFHAM
----------------------------------------------------------
157 FREEMAIL_FROM 159 591 3.35 11.65
222 FREEMAIL_REPLYTO 64 35 1.35 0.69
Re: FreeMail plugin
Posted by Henrik K <he...@hege.li>.
On Fri, Mar 21, 2008 at 04:41:10PM +0200, Jari Fredriksson wrote:
> > Hello,
> >
> > I updated my FreeMail plugin with a big list of domains
> > (http://www.rhyolite.com/anti-spam/freemail.html).
> >
> > Try it out:
> >
> > http://sa.hege.li/FreeMail.pm
> > http://sa.hege.li/FreeMail.cf
> >
> > Pretty good hit ratio here, especially when you add some
> > extra scores like FREEMAIL_FROM && DCC_CHECK etc. All
> > that freemail spam is annoying as it can't be blocked
> > directly at MTA (RBLs etc).
> >
> > Cheers,
> > Henrik
>
> So, I downloaded them both (pm and cf) to my /etc/spamassassin, removed
> the # from "you can try these" and restarted spamd. Is that ok?
>
> I'm too drunk to find out it myself ;)
Hehe, yeah it should be ok. Let me know if you spot any false FPs with
REPLYTO..
Re: FreeMail plugin
Posted by Jari Fredriksson <ja...@iki.fi>.
> Hello,
>
> I updated my FreeMail plugin with a big list of domains
> (http://www.rhyolite.com/anti-spam/freemail.html).
>
> Try it out:
>
> http://sa.hege.li/FreeMail.pm
> http://sa.hege.li/FreeMail.cf
>
> Pretty good hit ratio here, especially when you add some
> extra scores like FREEMAIL_FROM && DCC_CHECK etc. All
> that freemail spam is annoying as it can't be blocked
> directly at MTA (RBLs etc).
>
> Cheers,
> Henrik
So, I downloaded them both (pm and cf) to my /etc/spamassassin, removed the # from "you can try these" and restarted spamd. Is that ok?
I'm too drunk to find out it myself ;)