Thought I would let everyone know about a sweet system I have
running in production on a client. It provides highly
effective content filtering with virtually zero false
positives, and without any user input. It is based on
pymilter, SPF, the open-source DSpam content filter,
auto-whitelist, and a honeypot.
Add greylisting (and optionally implement it ONLY for
any 'suspicious' mails) and you can likely cut out
about 90% of whatever is left, especially those zombies.
Maybe more/less depending on what you are already filtering
but if you are getting mostly zombie mail now then MORE
than 90% is likely to be removed.
If you use "suspicious" only (helo/reverse mismatch,
agressive blacklists, etc.) then you will have no
disadvantages to the greylisting.
The obvious weak point of this system is zombies. Should any
of the whitelisted senders contract a zombie, it would be
possible for the zombie to crank out spam - and poison the
Dspam dictionary in the process. So far, this is not a
problem in practice because most zombies forge the sender
(and hence don't pass SPF). I'm not sure what the next step
is when zombie writers start using senders filched from the
local machine that get SPF pass and are likely whitelisted.
Greylisting will stop the vast majority of them.
--
Herb Martin
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com