[Mimedefang] What to do w/ SPAM?
Philip Clever
philip at turquoise.net
Mon Sep 23 13:27:01 EDT 2002
me3!
----- Original Message -----
From: "Adam Beatham" <adam at backboard.org>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Monday, September 23, 2002 7:19 AM
Subject: Re: [Mimedefang] What to do w/ SPAM?
> Dave,
>
> I (for one) would be interested in the perl code to analyze the log...
>
> thanks!
> -adam
> At 09:55 AM 9/23/2002 -0700, you wrote:
>
> >then parse the log for each user to a tmpfile and send it to the users.
> >
> >If you want the code I'll send to you - about 300 lines of perl code.
> >Dave S.
> >
> >
> >Tony Nugent wrote:
> > >
> > > On Sat Sep 21 2002 at 16:58, "Ashley M. Kirchner" wrote:
> > >
> > > > It's 11pm. Do you know where your SPAM is? And I'm not
> > > > referring to Stuff Posing As Meat. I'm referring to email SPAM.
> > >
> > > :-)))
> > >
> > > > Seriously, what do people do with this stuff?
> > > > action_discard()? action_bounce()? I don't know how well
> > >
> > > [ ... ]
> > >
> > > > What do you do?
> > >
> > > What I do?
> > >
> > > If it rates over 7.0 but below 9.0 (arbitary and experimental), the
> > > Subject line gets changed to add "[SPAM 8.3]" (8.3 being the score)
> > > to warn the recipient(s), the incident is syslog'ed, and the message
> > > is delivered as usual.
> > >
> > > If it rates over 9.0, then the recipient list is deleted and
> > > replaced to end up in a "spammer" account mailbox. The recipients
> > > get nothing, but it still allows collection of the spam (and also
> > > "dead" viruses) where they can be reviewed.
> > >
> > > I'm toying with the idea that if it rates over, say 15 or so, then
> > > it will be rejected outright for delivery... nothing gets delivered,
> > > and the remote relay then has the problem of dealing with what to do
> > > with the reject.
> > >
> > > I also have a (small) relay blacklist (and a whitelist too of
> > > course), I'll soon add orbs checks, and these will also all be
> > > bounced outright as delivery refused. I'm also considering
> > > rejecting any email with text/html that has no corresponding
> > > text/plain part (although I want to be careful about this).
> > >
> > > The "spammer" account idea works really well... it is a
> > > "multi-access" mailbox where a number of people in the office(s) it
> > > services have imap access to it. Nothing is lost, and anything
> > > trapped that is not real spam is still recoverable.
> > >
> > > And I must say that the latest version of spamassassin has had NO
> > > false positives since I upgraded it (although I do have a
> > > whitelist that would have caught quite a few). Very impressed.
> > > In fact, a spam confidence score of 7.0 rather than my upper level
> > > of 9.0 would have caught all of them with only ONE false positive
> > > (and that was an email from McAfee promoting their own anti-spam
> > > product!!! :-))
> > >
> > > On one server, the spamtrap has caught over 250 email spams in less
> > > than a month (and around 50 or so viruses).
> > >
> > > BTW, using syslog to record events like this is very useful... each
> > > night/week/whatever I run some simple greps and sed's over the
> > > maillog files to generate statistics on what has been happening.
> > >
> > > I'm sure you'll get lots more ideas from others here.
> > >
> > > Cheers
> > > Tony
> > > _______________________________________________
> > > MIMEDefang mailing list
> > > MIMEDefang at lists.roaringpenguin.com
> > > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
> -adam, the guy behind the guy behind the guy
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list