[Mimedefang] What to do w/ SPAM?

Adam Beatham adam at backboard.org
Mon Sep 23 13:20:01 EDT 2002 

Dave,

I (for one) would be interested  in the perl code to analyze the log...

thanks!
-adam
At 09:55 AM 9/23/2002 -0700, you wrote:

>then parse the log for each user to a tmpfile and send it to the users.
>
>If you want the code I'll send to you - about 300 lines of perl code.
>Dave S.
>
>
>Tony Nugent wrote:
> >
> > On Sat Sep 21 2002 at 16:58, "Ashley M. Kirchner" wrote:
> >
> > >     It's 11pm.  Do you know where your SPAM is?  And I'm not
> > > referring to Stuff Posing As Meat.  I'm referring to email SPAM.
> >
> > :-)))
> >
> > >     Seriously, what do people do with this stuff?
> > > action_discard()?  action_bounce()?   I don't know how well
> >
> >  [ ... ]
> >
> > >     What do you do?
> >
> > What I do?
> >
> > If it rates over 7.0 but below 9.0 (arbitary and experimental), the
> > Subject line gets changed to add "[SPAM 8.3]" (8.3 being the score)
> > to warn the recipient(s), the incident is syslog'ed, and the message
> > is delivered as usual.
> >
> > If it rates over 9.0, then the recipient list is deleted and
> > replaced to end up in a "spammer" account mailbox.  The recipients
> > get nothing, but it still allows collection of the spam (and also
> > "dead" viruses) where they can be reviewed.
> >
> > I'm toying with the idea that if it rates over, say 15 or so, then
> > it will be rejected outright for delivery... nothing gets delivered,
> > and the remote relay then has the problem of dealing with what to do
> > with the reject.
> >
> > I also have a (small) relay blacklist (and a whitelist too of
> > course), I'll soon add orbs checks, and these will also all be
> > bounced outright as delivery refused.  I'm also considering
> > rejecting any email with text/html that has no corresponding
> > text/plain part (although I want to be careful about this).
> >
> > The "spammer" account idea works really well... it is a
> > "multi-access" mailbox where a number of people in the office(s) it
> > services have imap access to it.  Nothing is lost, and anything
> > trapped that is not real spam is still recoverable.
> >
> >   And I must say that the latest version of spamassassin has had NO
> >   false positives since I upgraded it (although I do have a
> >   whitelist that would have caught quite a few).  Very impressed.
> >   In fact, a spam confidence score of 7.0 rather than my upper level
> >   of 9.0 would have caught all of them with only ONE false positive
> >   (and that was an email from McAfee promoting their own anti-spam
> >   product!!! :-))
> >
> > On one server, the spamtrap has caught over 250 email spams in less
> > than a month (and around 50 or so viruses).
> >
> > BTW, using syslog to record events like this is very useful... each
> > night/week/whatever I run some simple greps and sed's over the
> > maillog files to generate statistics on what has been happening.
> >
> > I'm sure you'll get lots more ideas from others here.
> >
> > Cheers
> > Tony
> > _______________________________________________
> > MIMEDefang mailing list
> > MIMEDefang at lists.roaringpenguin.com
> > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

-adam, the guy behind the guy behind the guy

More information about the MIMEDefang mailing list