[Mimedefang] What to do w/ SPAM?

Philip Clever philip at turquoise.net
Mon Sep 23 13:27:01 EDT 2002 

me3!
----- Original Message ----- 
From: "Adam Beatham" <adam at backboard.org>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Monday, September 23, 2002 7:19 AM
Subject: Re: [Mimedefang] What to do w/ SPAM?


> Dave,
> 
> I (for one) would be interested  in the perl code to analyze the log...
> 
> thanks!
> -adam
> At 09:55 AM 9/23/2002 -0700, you wrote:
> 
> >then parse the log for each user to a tmpfile and send it to the users.
> >
> >If you want the code I'll send to you - about 300 lines of perl code.
> >Dave S.
> >
> >
> >Tony Nugent wrote:
> > >
> > > On Sat Sep 21 2002 at 16:58, "Ashley M. Kirchner" wrote:
> > >
> > > >     It's 11pm.  Do you know where your SPAM is?  And I'm not
> > > > referring to Stuff Posing As Meat.  I'm referring to email SPAM.
> > >
> > > :-)))
> > >
> > > >     Seriously, what do people do with this stuff?
> > > > action_discard()?  action_bounce()?   I don't know how well
> > >
> > >  [ ... ]
> > >
> > > >     What do you do?
> > >
> > > What I do?
> > >
> > > If it rates over 7.0 but below 9.0 (arbitary and experimental), the
> > > Subject line gets changed to add "[SPAM 8.3]" (8.3 being the score)
> > > to warn the recipient(s), the incident is syslog'ed, and the message
> > > is delivered as usual.
> > >
> > > If it rates over 9.0, then the recipient list is deleted and
> > > replaced to end up in a "spammer" account mailbox.  The recipients
> > > get nothing, but it still allows collection of the spam (and also
> > > "dead" viruses) where they can be reviewed.
> > >
> > > I'm toying with the idea that if it rates over, say 15 or so, then
> > > it will be rejected outright for delivery... nothing gets delivered,
> > > and the remote relay then has the problem of dealing with what to do
> > > with the reject.
> > >
> > > I also have a (small) relay blacklist (and a whitelist too of
> > > course), I'll soon add orbs checks, and these will also all be
> > > bounced outright as delivery refused.  I'm also considering
> > > rejecting any email with text/html that has no corresponding
> > > text/plain part (although I want to be careful about this).
> > >
> > > The "spammer" account idea works really well... it is a
> > > "multi-access" mailbox where a number of people in the office(s) it
> > > services have imap access to it.  Nothing is lost, and anything
> > > trapped that is not real spam is still recoverable.
> > >
> > >   And I must say that the latest version of spamassassin has had NO
> > >   false positives since I upgraded it (although I do have a
> > >   whitelist that would have caught quite a few).  Very impressed.
> > >   In fact, a spam confidence score of 7.0 rather than my upper level
> > >   of 9.0 would have caught all of them with only ONE false positive
> > >   (and that was an email from McAfee promoting their own anti-spam
> > >   product!!! :-))
> > >
> > > On one server, the spamtrap has caught over 250 email spams in less
> > > than a month (and around 50 or so viruses).
> > >
> > > BTW, using syslog to record events like this is very useful... each
> > > night/week/whatever I run some simple greps and sed's over the
> > > maillog files to generate statistics on what has been happening.
> > >
> > > I'm sure you'll get lots more ideas from others here.
> > >
> > > Cheers
> > > Tony
> > > _______________________________________________
> > > MIMEDefang mailing list
> > > MIMEDefang at lists.roaringpenguin.com
> > > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
> 
> -adam, the guy behind the guy behind the guy
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list