Help for old-school SA?

[Mike Jackson <mj...@barking-dog.net>]

I work for a large hosting provider. Some of our hosting accounts are 
(effectively) stuck using SA 2.63, since they are using older Redhat 
installs coupled with older versions of the Plesk control panel. (Why 
stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
proper startup options, or write out the proper header-munging rules.) 
Needless to say, SA 2.63 isn't very effective anymore. I will often set up 
SARE rulesets and RulesDuJour, install & configure Razor, lower the Bayes 
autolearn thresholds and minimum message counts, make sure Net::DNS and 
Mail::SPF::Query are installed, and use RBLs within Qmail. It's not all 
that effective, or at least not as effective as they want.

So, what other tools can I add to my arsenal under these circumstances?

Re: Help for old-school SA?

[Kris Deugau <kd...@vianet.ca>]

Mike Jackson wrote:
> I work for a large hosting provider. Some of our hosting accounts are 
> (effectively) stuck using SA 2.63, since they are using older Redhat 
> installs coupled with older versions of the Plesk control panel. (Why 
> stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
> proper startup options, or write out the proper header-munging rules.) 
> Needless to say, SA 2.63 isn't very effective anymore. I will often set 
> up SARE rulesets and RulesDuJour, install & configure Razor, lower the 
> Bayes autolearn thresholds and minimum message counts, make sure 
> Net::DNS and Mail::SPF::Query are installed, and use RBLs within Qmail. 
> It's not all that effective, or at least not as effective as they want.
> 
> So, what other tools can I add to my arsenal under these circumstances?

I'm not sure what sort of mail is slipping through in your case, but 
I've got three (fairly heavily tweaked) 2.64 installs that are still 
"good enough".  I've kept the default threshold of 5 (except for a few 
specific customers, and three ISP role accounts).

-> A well-trained Bayes DB is crucial.  One system's Bayes db is 4+ 
years old, and only occasionally misfiring.  I regularly feed missed 
spam into it;  occasionally I get a ham or two to feed it.  I've pushed 
the autolearn-as-ham threshold down to -0.1.

-> There are a few known security/DoS issues with 2.63.  Move heaven and 
earth to go to 2.64;  it's a drop-in upgrade that should be painless.

-> The SARE stocks ruleset has helped eliminate *most* of the 
image-based stock spam I've been seeing.  IIRC I'm also using the 
"adult" ruleset;  I can't afford too many more due to memory limits.  :/

-> The SURBL patch for 2.6x has been *very* useful - less so now than it 
was when it was released maybe, but it still pushes a fair chunk of the 
spam over the threshold.

-> Local rules for whatever is slipping through are generally pretty 
effective;  eveyone gets a somewhat different mix of spam.  I have rules 
that would be pretty much useless for anyone else, because they rely on 
specific aspects of *this* particular mail system.

-> For an ISP, customer feedback is critical.  Over time, I've managed 
to teach a few customers exactly how to forward mail they've downloaded 
so I can feed it back to Bayes ("right-click, forward as attachment" 
works in everything but Outlook and Eudora IIRC), and check the raw 
message for possible local rules.  Accumulating a useful global 
whitelist is also useful - some perfectly legitimate bulk senders just 
don't have a clue, so whitelisting them at some layer makes sure 
customers get their joke-of-the day spam^H^H^H^Hmail.

-> A little bit of statistics can do wonders for customer opinions. 
"I'm complaining about 5 spams a day" becomes "Wow, keep up the good 
work!" when you point out that the filter has diverted 500 spams a day 
from their inbox.  This is particularly effective if they haven't had 
problems with legit mail getting tagged.

-kgd

Re: Help for old-school SA?

[Mike Jackson <mj...@barking-dog.net>]

> First thing: find the patch for the URIBL rules and get that enabled.  It 
> will probably catch 90% of the spam making it through.

Thanks for the suggestions. Actually, I was mistaken; the server that 
prompted this request had 2.61 installed. I upgraded him to 2.64, and 
tracked down the SpamCopURI plugin. But, he's already using every 
conceivable RBL at the SMTP level, so it may not help a lot.

Re: Help for old-school SA?

[Loren Wilton <lw...@earthlink.net>]

First thing: find the patch for the URIBL rules and get that enabled.  It 
will probably catch 90% of the spam making it through.

It would probably be possible to build an eval test for 2.63 that would do 
what FuzzyOCR does, but it woudl take some work by someone that knows perl 
(which isn't me).

        Loren

----- Original Message ----- 
From: "Mike Jackson" <mj...@barking-dog.net>
To: <us...@spamassassin.apache.org>
Sent: Friday, December 01, 2006 8:55 AM
Subject: Help for old-school SA?


>I work for a large hosting provider. Some of our hosting accounts are 
>(effectively) stuck using SA 2.63, since they are using older Redhat 
>installs coupled with older versions of the Plesk control panel. (Why 
>stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
>proper startup options, or write out the proper header-munging rules.) 
>Needless to say, SA 2.63 isn't very effective anymore. I will often set up 
>SARE rulesets and RulesDuJour, install & configure Razor, lower the Bayes 
>autolearn thresholds and minimum message counts, make sure Net::DNS and 
>Mail::SPF::Query are installed, and use RBLs within Qmail. It's not all 
>that effective, or at least not as effective as they want.
>
> So, what other tools can I add to my arsenal under these circumstances?