[Mimedefang] Blocking e-mail where the To does not match the envelope To
Rich West
Rich.West at wesmo.com
Thu Aug 29 21:06:01 EDT 2002
What I personally have found as the 'best' solution is what was recently
suggested on the list. Alter your filter such that IF a message is
detected as spam and IF the score is TWICE what the required score to be
tagged as spam is, THEN bounce it.
For example, if your threshold is a score of 10, which is the default, I
believe, you are probably like the rest of us and see a fair number of
false positives and false negatives... this will always be the case.
However, if you receive a message with a score of 20 or greater, then
you can feel confident that it is most definitely spam (if you get a
false positive that high, well, it would take a bit of work. :) and
subsequently reject it.
By doing that at two of our sites, we saw the amount of spam reduced
signifigantly. One user came to me and actually asked if we changed
anything because their filter for the "X-Spam-Status: Yes" only picked
up 4 messages when it usually picked up greater than 30.
A snippet from my filter looks like:
...
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
if ($hits >= $req) {
if ($hits >= ($req*2.0)) {
action_quarantine_entire_message();
return action_bounce("Message Detected As SPAM -
Delivery Denied");
}
# We add a header which looks like this:
# X-Spam-Warning: Yes
# making it easy for MUA's to filter on the SPAM.
action_add_header("X-Spam-Warning", "This message is SPAM");
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
}
}
...
-Rich
Jon Kenoyer wrote:
>Thanks all for clarifying the interaction between envelope and the
>e-mail fields. We already run spamassassin and the e-mail was flagged
>as spam, but due to the false positives that are returned I can not
>simply bounce e-mails marked as spam. Perhaps redirecting e-mails if
>the spam assassin results contain the Porn marker would be a better
>solution.
>
>-----Original Message-----
>From: Sidney Markowitz [mailto:sidney at sidney.com]
>Sent: Thursday, August 29, 2002 10:16 AM
>To: mimedefang at lists.roaringpenguin.com
>Subject: Re: [Mimedefang] Blocking e-mail where the To does not match
>the envelope To
>
>
>Jon Kenoyer <jonk at otsi.com> asked:
>
>
>>Could I add a rule to discard e-mails where the To does not match the
>>actual recipients. If so could someone post a quick sample?
>>Are there cases where this could block legitimate e-mails?
>>
>>
>
>Here are some headers from the above mail I received from you:
>
> From: "Jon Kenoyer" <jonk at otsi.com>
> To: <mimedefang at lists.roaringpenguin.com>
>
>My MTA doesn't insert the envelope recipient in most cases, but I can
>assure
>you that it could not have been mimedefang at lists.roaringpenguin.com
>
>In any case in which you are on a Bcc list, which is typically the case
>in a
>mailing list, your address will not show up in the To or Cc headers.
>
>Anyway, if you are interested in rules for detecting spam I suggest that
>you
>just download SpamAssassin. It already works with MimeDefang and
>benefits
>from lots of people putting together hundreds of rules that can come up
>with
>an aggregate score to filter spam from nonspam.
>
> -- sidney
>
More information about the MIMEDefang
mailing list