[Mimedefang] Cool MIMEDefang/SpamAssassin trick...

Mark Roedel MarkRoedel at letu.edu
Fri Feb 22 17:29:33 EST 2002 

> -----Original Message-----
> From: David F. Skoll [mailto:dfs at roaringpenguin.com] 
> Sent: Friday, February 22, 2002 3:07 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Cool MIMEDefang/SpamAssassin trick...
> 
> 
> On Fri, 22 Feb 2002, Mark Roedel wrote:
> 
> > What I wound up doing instead was to create an X-Spam-Level 
> > header that contains a string of *'s equivalent to the integer
> > part of the SpamAssassin score.
> 
> That's cool, although I would clamp it at a reasonable value (30,
> say.)  Otherwise some perverse soul might craft a message which gets
> as high a score as possible. :-) I wonder what that would be...

I work with one of those.  The highest he's managed to construct so far
scored somewhere in the high 40's.

Thanks for the suggestion of setting some sort of ceiling, though.  That
does seem like a good idea.  (And he can still play his
building-the-spammiest-spam-possible game anyway, since I do include the
score along with the X-Spam-Warning header...)

> I have an idea for a very nice anti-spam architecture.  I want to
> add code which, when a message is considered spam, sends an SMTP 
> temporary-failure code to the sender:

I like it!  We've had a couple of other scenarios proposed here where
something along the lines of a "hold pending approval" action might have
come in useful.

> 	451 4.7.2 Message appears to be spam; awaiting human 
> verification
> 
> The SHA1 hash of the first 100 lines of the message body is 
> used as a key into a database (could be a real database; could
> be file/directory based)  We store the relay IP address, relay
> name, message subject and first few kB of the message in the
> database.  A cron job clears out old entries periodically.

Presumably the MSGID header goes in there someplace as well?

> Then we have a nice Web-based front-end which lets the admin 
> glance over the SPAM of the day and either:
> 
> - Reject the message as SPAM.  It will be permanently 
> rejected with a 551 message on the next attempt.

...and optionally reported to Vipul's Razor and/or similar services?

> It has one very serious drawback and a few minor ones:
> 
> [snip]
> 
> - Some poor sucker has to browse the spam trap. :-)

Poor sucker indeed.  Using a score of 5 as a threshold, the trap
would've accumulated almost 1900 messages here yesterday.  Ouchie.  (Of
course, that could be mitigated somewhat if the hold-for-approval action
isn't called for every message that scores >= 5.  An individual site
might only call that action for messages over a higher threshold, for
example, or for messages that triggered particular SA tests...)

Overall, though, it seems to me like an interesting plan...if it didn't
affect performance too much, and if the housekeeping didn't start
ballooning out of control, we'd probably use it here.  :)


---
Mark Roedel           | "The fix is only temporary...
Systems Programmer    |            unless it works."
LeTourneau University |
Longview, Texas  USA  |                 -- Red Green

More information about the MIMEDefang mailing list