[Mimedefang] What to do w/ SPAM?

Tony Nugent tony at linuxworks.com.au
Sat Sep 21 20:28:01 EDT 2002


On Sat Sep 21 2002 at 16:58, "Ashley M. Kirchner" wrote:

>     It's 11pm.  Do you know where your SPAM is?  And I'm not
> referring to Stuff Posing As Meat.  I'm referring to email SPAM.

:-)))

>     Seriously, what do people do with this stuff?
> action_discard()?  action_bounce()?   I don't know how well

 [ ... ]

>     What do you do?

What I do?

If it rates over 7.0 but below 9.0 (arbitary and experimental), the
Subject line gets changed to add "[SPAM 8.3]" (8.3 being the score)
to warn the recipient(s), the incident is syslog'ed, and the message
is delivered as usual.

If it rates over 9.0, then the recipient list is deleted and
replaced to end up in a "spammer" account mailbox.  The recipients
get nothing, but it still allows collection of the spam (and also
"dead" viruses) where they can be reviewed.

I'm toying with the idea that if it rates over, say 15 or so, then
it will be rejected outright for delivery... nothing gets delivered,
and the remote relay then has the problem of dealing with what to do
with the reject.

I also have a (small) relay blacklist (and a whitelist too of
course), I'll soon add orbs checks, and these will also all be
bounced outright as delivery refused.  I'm also considering
rejecting any email with text/html that has no corresponding
text/plain part (although I want to be careful about this).

The "spammer" account idea works really well... it is a
"multi-access" mailbox where a number of people in the office(s) it
services have imap access to it.  Nothing is lost, and anything
trapped that is not real spam is still recoverable.

  And I must say that the latest version of spamassassin has had NO
  false positives since I upgraded it (although I do have a
  whitelist that would have caught quite a few).  Very impressed.
  In fact, a spam confidence score of 7.0 rather than my upper level
  of 9.0 would have caught all of them with only ONE false positive
  (and that was an email from McAfee promoting their own anti-spam
  product!!! :-))

On one server, the spamtrap has caught over 250 email spams in less
than a month (and around 50 or so viruses).

BTW, using syslog to record events like this is very useful... each
night/week/whatever I run some simple greps and sed's over the
maillog files to generate statistics on what has been happening.

I'm sure you'll get lots more ideas from others here.

Cheers
Tony



More information about the MIMEDefang mailing list