Re: HELP!! spamassasssin killing my server - SpamAssassin

This is a discussion on Re: HELP!! spamassasssin killing my server - SpamAssassin ; > Consequently I disabled the checks. Now, using spamhaus.org and spamcop > the > overload has disappeared. Be careful with using the Spamcop blacklist to reject messages -- while it is perfectly fine as a blacklist to use in a ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: HELP!! spamassasssin killing my server

  1. Re: HELP!! spamassasssin killing my server


    > Consequently I disabled the checks. Now, using spamhaus.org and spamcop
    > the
    > overload has disappeared.


    Be careful with using the Spamcop blacklist to reject messages -- while it
    is perfectly fine as a blacklist to use in a scoring scheme such as
    SpamAssassin, I found it to have too many false positives to use it for
    outright blocking.

    If you use it for blocking, then you should consider complimenting your
    setup with a whitelist _on the MTA level_.

    -- Matthias


  2. Re: HELP!! spamassasssin killing my server

    > > Consequently I disabled the checks. Now, using spamhaus.org and spamcop
    > > the
    > > overload has disappeared.


    On 12.06.08 10:16, Matthias Leisi wrote:
    > Be careful with using the Spamcop blacklist to reject messages -- while it
    > is perfectly fine as a blacklist to use in a scoring scheme such as
    > SpamAssassin, I found it to have too many false positives to use it for
    > outright blocking.


    otoh, SpamCop is probably the most effective in detecting spam outbreaks. It
    only lists machines that spammed last 48 hours and it lists them very soon.

    according to SpamCop, it's designed to used for temporary rejects (IIRC).
    However I think this way people would get much of the spam, only later, when
    the machine is not listed (but the spam may still be in the queue), even
    without increased score (because the machine is not in the queue).

    In such case we only can hope that the spam will be catched by DCC, RAZOR,
    PYZOR, URIBL's and some others.

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Linux IS user friendly, it's just selective who its friends are...


  3. Re: HELP!! spamassasssin killing my server

    Matthias Leisi wrote:
    > Be careful with using the Spamcop blacklist to reject messages -- while it
    > is perfectly fine as a blacklist to use in a scoring scheme such as
    > SpamAssassin, I found it to have too many false positives to use it for
    > outright blocking.
    >
    > If you use it for blocking, then you should consider complimenting your
    > setup with a whitelist _on the MTA level_.
    >

    Matthias,

    At some point around spring of 2007, SpamCop made dramatic improvements
    with regards to FPs.

    Al Iverson details this here:

    http://www.dnsbl.com/2007/05/spamcop...-accurate.html

    Therefore, when you said, "too many false positives", are you referring
    to FPs from *before* that transformation of SpamCop? Or, are these
    *recent* FPs, spotted after that transformation?

    (Also, I'm not trying to argue... just trying to learn... and seeking
    clarity!)

    Rob McEwen


  4. Re: HELP!! spamassasssin killing my server


    Rob McEwen schrieb:

    > http://www.dnsbl.com/2007/05/spamcop...-accurate.html
    >
    > Therefore, when you said, "too many false positives", are you referring
    > to FPs from *before* that transformation of SpamCop? Or, are these
    > *recent* FPs, spotted after that transformation?


    It's twofold:

    On my private mailserver, there is some older (definitely pre-2007)
    history of FPs (and since then I only use it in SA context there).

    On the company mailserver, we take a very conservative approach, and
    only Spamhaus SBL+XBL are used at the MTA level. I run a daily report
    similar to SAs own masscheck reports; there, I see quite an overlap
    between the Spamcop BL rule and eg local whitelisting rules (based on
    whitelist_from_rcvd, content-based whitelisting rule and [to a limited
    degree] RCVD_IN_DNSWL_NONE/_LOW rules).

    Just to be very clear: I value the Spamcop BL very much, and it is very
    effective. However, it has a too high FP rate in my environment in order
    to safely use it on the MTA.

    I'll see whether I can grab some extract of it tomorrow and post it here.

    > (Also, I'm not trying to argue... just trying to learn... and seeking
    > clarity!)


    Seconded

    -- Matthias


  5. Re: HELP!! spamassasssin killing my server

    On 12.06.08 18:51, Matthias Leisi wrote:
    > On the company mailserver, we take a very conservative approach, and
    > only Spamhaus SBL+XBL are used at the MTA level.


    you should switch to ZEN in such case, SBL+XBL is obsolete now.

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    "They say when you play that M$ CD backward you can hear satanic messages."
    "That's nothing. If you play it forward it will install Windows."


  6. Re: HELP!! spamassasssin killing my server


    Matus UHLAR - fantomas schrieb:
    > On 12.06.08 18:51, Matthias Leisi wrote:
    >> On the company mailserver, we take a very conservative approach, and
    >> only Spamhaus SBL+XBL are used at the MTA level.

    >
    > you should switch to ZEN in such case, SBL+XBL is obsolete now.


    We use a local feed, so querying SBL and XBL separately is not an issue.
    For some obscure non-technical reason, we can currently not switch to
    anything else (nor do we really need to, since queries only run local).

    -- Matthias


  7. Re: HELP!! spamassasssin killing my server

    > Matus UHLAR - fantomas schrieb:
    > >On 12.06.08 18:51, Matthias Leisi wrote:
    > >>On the company mailserver, we take a very conservative approach, and
    > >>only Spamhaus SBL+XBL are used at the MTA level.

    > >
    > >you should switch to ZEN in such case, SBL+XBL is obsolete now.


    On 13.06.08 18:49, Matthias Leisi wrote:
    > We use a local feed, so querying SBL and XBL separately is not an issue.
    > For some obscure non-technical reason, we can currently not switch to
    > anything else (nor do we really need to, since queries only run local).


    When people use "sbl+xbl", I guess they mean "sbl-xbl.spamhaus.org"
    blacklist. If you query them separately, it's something different of course.
    However you are then missing PBL which is another part of zen.
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Nothing is fool-proof to a talented fool.


+ Reply to Thread