Hi guys,
On Sun, 24 Jul 2005 Damian Menscher wrote:
Chris wrote:
I'll be going on vacation in about a month and instead of coming
back to a spam folder full of a couple of thousand messages I'd
just like to not even have them tossed into the spam folder.
...
want to make sure this is the correct way.
Yes, it is. I do the following...
...
This blackholes the definite spam ... and saves the probable spam
It seems to me that with these methods the spam will be accepted by
the server and not 'blackholed'.
I don't want to start an argument about the finer points of spam
terminology. The point isn't what we want to call it, but what the
spammers see and do.
If SpamAssassin junks a message after delivery then the spammer has
done his job - and done it well - and will likely keep on doing it. I
used to rely on SpamAssassin for all my spam-blocking needs. Over the
years I found that the volume of spam was increasing, with no sign of
the rate of increase slowing down. In fact at one point last year it
was increasing at an alarming rate, and something had to be done or I
would soon have consumed all the available bandwidth for no purpose.
It's important to REJECT mail from spammers, not to accept it and then
send it to /dev/null or some spam folder. Spammers are not stupid.
They make money on the small percentage of nitwits who respond to mail
that is DELIVERED. They cannot know whether the message is delivered
to inbox or caughtspam, but as long as it is delivered somewhere they
can move on to the next victim knowing that the odds have just edged,
however slightly, in their favour. If they see all the mail rejected
by a strongly defended server, then until they're jailed or lynched we
can at least hope that they'll move on to somewhere more profitable,
and that with each move they will make less profit than before.
Here's what I do now:
1. Block all but a few selected senders of mail from Asia, Russia,
Latin America, the Caribbean, Turkey, Italy, Spain, Portugal,
Africa, Israel and the middle east. This is done by IP address.
In fact I block all connections from most of those places at our
firewalls since in addition to spam we get an endless stream of
attempts to hack machines from those places - particularly Asia.
2. Use a 'greet pause' of several seconds longer than the default
supplied with the sendmail option.
3. List a few known spam houses in the sendmail access database -
and a few others who would probably sue me if I called them that,
you all know who they are.
4. Maintain seven sendmail milters, in this order:
rcptfilter
spfmilter
chainmail
milter-regex
dnsbl
greylist
clamav-milter
Maintenance is important, to keep on top of the shifting sands.
The order is important since some milters (e.g. milter-regex)
can inspect headers added by those earlier in the list, and of
course some milters (e.g. milter-regex:) are heavier on the
CPU cycles than others. There's no need to burn cycles if the
spam can be rejected by less CPU intensive methods. Some of
the configurations are fairly complex, particularly as I'm the
mail administrator for several different organizations, but it
has been well worth the effort. If I had to choose just one it
would definitely be milter-regex (I especially like a, um, terse
response to machines which connect claiming to be one of my own)
but I'm very pleased with the results from all of them, dnsbl in
particular which I configure to use anything from three to seven
blacklists depending on the recipient.
5. Periodically inspect the logs (grep is handy). Feedback from this
activity is important for maintenance.
6. Finally I still run SpamAssassin. It has now been trained on
something like 100,000 spam messages and 10,000 ham messages so
it's pretty good, but it doesn't have much to do as you'll see.
Note that the only results from the milters are mail being accepted
or rejected. There's no putting it in spam folders or anything of
that kind. Occasionally a legitimate mail is blocked. When that
happens either I never find out about it (bad, but not a disaster:)
or the sender finds a way to let me know - usually by reading the
bounce message, which should tell him what to do, but not always.
I've been surprised by the number of people who don't read bounces.
Occasionally they call the intended recipient, and they email me.
They're never upset, they understand the problems.
Here are the results so far. Currently I block about 250 spam emails
per hour. I used to get over 5000 junk mails per month in my personal
'caughtspam' file. Here's my personal caughtspam index now:
1 Feb 24 Eldora Q Selzer (4280) <pain garbage>...0VERNlGHT
+ 2 Feb 24 Support Admin - Cody C (7756) Instructions To Remove Spyw
+ 3 Feb 25 Washington Mutual (6936) Urgent - Online Account Upd
4 Apr 13 Jackie<at>Globalflavour (37K) JAD Concept FAO
5 Apr 24 abacha (8760) Alhaji Mohammed Abacha.
+ 6 Jun 18 Alvarofern (10K) ASAP
7 Jun 10 Dw371966<at>aoldotcom (5466) Hello
8 Jun 29 sales<at>rankhigher<dot> (14K) Top of the Search Engines i
9 Jul 15 sales<at>rankhigher<dot> (14K) Top of the Search Engines i
Edited subject lines hopefully won't set off too many spam blockers :)
and yes, the dates are in the right order - the date of receipt.
Spam is no longer a problem to our organization, and the volume of
incoming junk is not increasing any more. I'll do something about
rankhihger<dot>comething when I get a minute.
Personally I like procmail a lot for the things that I use it for but
I think it isn't the right tool for fighting spam. I don't want to
get into a fist-fight with anyone about it. I've lurked on the list
for a while, I've seen a lot of correspondence about spam, and I just
wanted to share my take with you, that's all. For many reasons, you
can't all do exactly what I've done here, I know. YMMV as they say.
And apologies that most of this is off-topic for the procmail list.
73,
Ged.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail