From: David MacQuigg [mailto:david_macquigg(_at_)yahoo(_dot_)com]
Amen. I often wish I could simply reject all mail that
fails to have
an RFC compliant HELO (FQDN that resolves to the connect ip).
Suggestion:
Greylist them. Greylisting (especially with a VERY SMALL whitelist)
has an almost non-existent false positive rate, and if you only
apply greylisting to the mail attempts that break one of your
other desired rules you will only be "chancing" such against
0.03 - 1.22% of your email that COULD be a false positive.
That is, your other methods have a FP rate of around 1% or less
and greylisting is going to cause trouble with almost none of
those (1% of 1% even if we assume the worst for greylisting
which just isn't the case for us.) More realistic would likely
be 0.05 of 0.01 or about 0.0005% (or better) -- and most tests
show that even HUMANS cannot approach this rate.
TEST 30-day totals
bad_helo 76033 925 1.22%
broadband 750339 2252 0.30%
require_ptr 830756 3830 0.46%
...
country/china 670558 233 0.03%
country/korea 418678 164 0.04%
...
dnsbl/bl.spamcop.net 6613796 2781 0.04%
dnsbl/sbl.spamhaus.org 747938 343 0.05%
Personally we leave bad_helo out for many tests
(3-4 times worse than the others) but use
combinations of "no ptr AND SpamHaus" etc.
Greylisting will ONLY cut your spam to 1-10% of
it's normal value -- 91%+ of our greylisted
"mail" never returns. And remember, once it
does "return" it gets auto-whitelisted through
the greylist system so this is actually a much
higher percentage of "spam" that is getting
deferred and avoided.
But also notice that a "perfectly valid email"
will not be greylisted, and of course could still
be spam, so...
We even drive Greylisting with Spam Assassin and
SPF Fail/Softfail. No one test ever drops email,
and generally only a few combinations of tests
drop email -- except by directing it through the
Greylist check.
Even our "blacklist subjects" are predicating on
an SA score as spam. (Ok, there are a few like
the V word spelled with numbers and bar/slash
characters that are 100% spam and we can block.
(Special handling for Spam discussion lists of
course.)
Nothing is getting through, nothing is being
dropped. I am now worried mostly about those
ACCEPTED Spams filtered to "spam catch accounts"
that score LESS than 30 and need to be carefully
reviewed.
We have gotten to the point where there SA is
used to setup "categories", Spam, SuperSpam,
and now MegaSpam.
We haven't done it yet, but SuperSpam COULD be
just dropped.
BTW: 0.0005% is 1 out of 200,000.
My next project is CRM114 with Markovian filters
and hyperspace luminosity scoring (really.)
--
Herb Martin