[Top] [All Lists]

RE: Effectiveness of compliance testing - was: Hole in spfmilter 0.95

2005-08-22 10:39:01
From: David MacQuigg [mailto:david_macquigg(_at_)yahoo(_dot_)com] 

Amen.  I often wish I could simply reject all mail that 
fails to have 
an RFC compliant HELO (FQDN that resolves to the connect ip).


Greylist them.  Greylisting (especially with a VERY SMALL whitelist)
has an almost non-existent false positive rate, and if you only
apply greylisting to the mail attempts that break one of your
other desired rules you will only be "chancing" such against
0.03 - 1.22% of your email that COULD be a false positive.

That is, your other methods have a FP rate of around 1% or less
and greylisting is going to cause trouble with almost none of
those (1% of 1% even if we assume the worst for greylisting 
which just isn't the case for us.)  More realistic would likely
be 0.05 of 0.01 or about 0.0005% (or better) -- and most tests 
show that even HUMANS cannot approach this rate.

TEST                       30-day totals
bad_helo                 76033   925  1.22%
broadband               750339  2252  0.30%
require_ptr             830756  3830  0.46%
country/china           670558   233  0.03%
country/korea           418678   164  0.04%
dnsbl/bl.spamcop.net   6613796  2781  0.04%
dnsbl/sbl.spamhaus.org  747938   343  0.05%

Personally we leave bad_helo out for many tests
(3-4 times worse than the others) but use 
combinations of "no ptr AND SpamHaus" etc.

Greylisting will ONLY cut your spam to 1-10% of
it's normal value -- 91%+ of our greylisted 
"mail" never returns.  And remember, once it 
does "return" it gets auto-whitelisted through
the greylist system so this is actually a much
higher percentage of "spam" that is getting 
deferred and avoided.

But also notice that a "perfectly valid email" 
will not be greylisted, and of course could still 
be spam, so...

We even drive Greylisting with Spam Assassin and
SPF Fail/Softfail.  No one test ever drops email,
and generally only a few combinations of tests 
drop email -- except by directing it through the 
Greylist check.

Even our "blacklist subjects" are predicating on
an SA score as spam.  (Ok, there are a few like
the V word spelled with numbers and bar/slash
characters that are 100% spam and we can block.
(Special handling for Spam discussion lists of

Nothing is getting through, nothing is being 
dropped.  I am now worried mostly about those
ACCEPTED Spams filtered to "spam catch accounts" 
that score LESS than 30 and need to be carefully 

We have gotten to the point where there SA is
used to setup "categories", Spam, SuperSpam,
and now MegaSpam.

We haven't done it yet, but SuperSpam COULD be
just dropped.

BTW: 0.0005% is 1 out of 200,000.

My next project is CRM114 with Markovian filters
and hyperspace luminosity scoring (really.)

Herb Martin

<Prev in Thread] Current Thread [Next in Thread>