Receiver Based Spam Scoring - SpamAssassin

This is a discussion on Receiver Based Spam Scoring - SpamAssassin ; Is there a Linux based equivalent to the abaca system of using spam scores of people who get the most spam and then judging emails based on that aggregate number? Brent Kennedy, MCSE, MCDBA, Linux+ Web Developer/Networking and Systems Engineer...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Receiver Based Spam Scoring

  1. Receiver Based Spam Scoring

    Is there a Linux based equivalent to the abaca system of using spam scores
    of people who get the most spam and then judging emails based on that
    aggregate number?

    Brent Kennedy, MCSE, MCDBA, Linux+
    Web Developer/Networking and Systems Engineer




  2. Re: Receiver Based Spam Scoring

    So, the more pissed off a user is that his email is getting blocked, the
    more you want to block?

    I SORTA understand the (mis-understanding) that recipient based reputation
    filtering can do, why not just use a daily (nightly) adjustment of user
    based policies, see something like amavisd-new. Set normal policies for
    normal people. If people gets lots of quarantined spam, lower their spam
    score threshold (and quarantine more)

    Sounds like it might be a messy feedback loop there.. The more cocaine you
    do, the more you want? Something like that?

    --
    Michael Scheidell, CTO
    >|SECNAP Network Security

    Winner 2008 Network Products Guide Hot Companies
    FreeBSD SpamAssassin Ports maintainer



    __________________________________________________ _______________________
    This email has been scanned and certified safe by SpammerTrap(r).
    For Information please see http://www.spammertrap.com
    __________________________________________________ _______________________


  3. RE: Receiver Based Spam Scoring

    As far as I know, I cant set per user rules. I run postfix piped to
    spamassassin then to an exchange server. I was thinking more along the
    lines of a database which applies a rule based on a recipient algorithm.

    Yesterday I turned on SQLGrey and saw the spam level drop overnight but that
    isn't going to work for everyone, some people need all their emails right
    away, but they want filtering and no spam, but don't like pulling emails out
    of a junk email folder ( ARGH! ). How long before graylisting doesn't work
    anymore?

    _____

    From: Michael Scheidell [mailto:scheidell@secnap.net]
    Sent: Thursday, August 07, 2008 3:38 PM
    To: Brent Kennedy; users@spamassassin.apache.org
    Subject: Re: Receiver Based Spam Scoring


    So, the more pissed off a user is that his email is getting blocked, the
    more you want to block?

    I SORTA understand the (mis-understanding) that recipient based reputation
    filtering can do, why not just use a daily (nightly) adjustment of user
    based policies, see something like amavisd-new. Set normal policies for
    normal people. If people gets lots of quarantined spam, lower their spam
    score threshold (and quarantine more)

    Sounds like it might be a messy feedback loop there.. The more cocaine you
    do, the more you want? Something like that?

    --
    Michael Scheidell, CTO
    >|SECNAP Network Security

    Winner 2008 Network Products Guide Hot Companies
    FreeBSD SpamAssassin Ports maintainer



    _____


    This email has been scanned and certified safe by SpammerTrapR.
    For Information please see www.spammertrap.com

    _____




  4. Re: Receiver Based Spam Scoring

    Brent Kennedy wrote:
    > As far as I know, I cant set per user rules. I run postfix piped to
    > spamassassin then to an exchange server. I was thinking more along
    > the lines of a database which applies a rule based on a recipient
    > algorithm.
    >
    > Yesterday I turned on SQLGrey and saw the spam level drop overnight
    > but that isn't going to work for everyone, some people need all their
    > emails right away, but they want filtering and no spam, but don't like
    > pulling emails out of a junk email folder ( ARGH! ). How long before
    > graylisting doesn't work anymore?
    >

    now...

    spammers have programmed their 'botnets' to send out duplicate spam in
    15 min intervals.
    all greylisting does is slow things down.

    for per user, look at amavisd-new


    --
    Michael Scheidell, President
    Main: 561-999-5000, Office: 561-939-7259
    > *| *SECNAP Network Security Corporation


    * Certified SNORT Integrator
    * Everything Channel Hot Product of 2008
    * Shaping Information Security Award 2008
    * CRN Magazine Top 40 Emerging Security Vendors


    __________________________________________________ _______________________
    This email has been scanned and certified safe by SpammerTrap(r).
    For Information please see http://www.spammertrap.com
    __________________________________________________ _______________________


  5. RE: Receiver Based Spam Scoring





    now...

    spammers have programmed their 'botnets' to send out duplicate spam in 15
    min intervals.
    all greylisting does is slow things down.

    for per user, look at amavisd-new
    --
    Michael Scheidell, President

    Michael



    Do you use greylisting at all?



    If we may know, what other pre pipe to SA tools do you use?





    - rh



  6. Re: Receiver Based Spam Scoring

    Robert - elists wrote:

    > Do you use greylisting at all?


    I do and it works well. This is not to dispute Michael's claim about
    "smarter" botnets; just offering another experience.

    > If we may know, what other pre pipe to SA tools do you use?


    Not all mail is greylisted before SA; instead, only those messages from
    frequent spammer TLDs, Windows machines (as identified by p0f which is
    not *always* right), client IPs without reverse DNS, and IPs listed on
    more than one R(HS)BL. Before that, Postfix rejects the following
    (lifted from posts on the mailing list) at EHLO/HELO:

    /^\[[[:digit:]\.]*\]$/ REJECT Literal HELO IPs prohibited.
    /\d+([-\.]\d+){3}/ REJECT Please use your ISP's SMTP server.

    The second PCRE, aimed at identifying generic/residential hostnames,
    stops a lot of UCE well before greylisting or SA get involved.

    --
    Sahil Tandon


+ Reply to Thread