Jason Haar wrote:

> So how do we fix this situation?


Peridoically there are a lot of bounces (especially to me and the=20
another sysadmin), but SA catches almost all of it.

> What about getting SA to "detach" the=20
> associated bounced message as a separate message and score that instead=

?

I do that with MIMEDefang here.

Wehenever a message is flagged with ANY_BOUNCE_MESSAGE by SA=20
(VBounce), the filter tries to extract the original message and=20
then run that through SA. The filter then uses the higher of the=20
two scores when deciding what to do with the message.

During my initial tests this did catch more bounce back spam, but=20
I haven't any numbers so I don't really know if it still has merit.

Besides this, bayes helps with some of the bounces, and I've just=20
added a rule that checks for messages that are flagged with=20
ANY_BOUNCE_MESSAGE *and* sent from a relay listed in=20
"backscatterer.org". I don't yet know if this rule will turn out=20
to be a good one or not.

Regards
/Jonas
--=20
Jonas Eckerman, FSDB & Frukttr=C3=A4det
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/