[Mimedefang] surbl

Richard Laager rlaager at wiktel.com
Mon Apr 12 23:25:05 EDT 2004 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It looks interesting, but I'm wondering if anyone else has tried
> this with MIMEDefang?  Will it work with MIMEDefang calling
> SpamAssassin by way of its modules?

It depends what you mean by "tried this with MIMEDefang". So, I'll
respond out of order. In response to your second question, if
SpamAssassin supports something by itself, MIMEDefang calling
SpamAssassin will utilize such a filtering technique.

On a related note, this thought of a URI blacklist is an idea I've
had (and shared with others) for a while. We'll see the same problem
as we did for Bayesian filtering... Spammers will start including
bogus URIs to avoid the filtering (or as a joe job). This is not to
say it's useless, just as Bayesian filtering is still useful.

URI filtering can be quite handy. I recently implemented code that
would check a message for URIs and then run those URIs through our
pornography filtering database. I called SpamAssassin to do the
actual URI parsing and I did the porn checks from within our
MIMEDefang filter. In this way, I was able to leverage the
SpamAssassin code and avoid reinventing the wheel. Because of the way
I coded, we only run full SpamAssassin checks if the customer wants
full spam filtering. If the customer only wants porn filtering, we
only need to run the URI parsing portion of the SpamAssassin code,
greatly saving CPU power. (If the customer wants neither, we do pass
the mail through unscanned.) So, it's possible to do URI filtering by
itself if desired.

There's no way a spammer can get around this sort of filtering by
padding a message with extra URIs since in this case a single case of
a URI is enough to trip the test. (Contrast this with approaches that
would check the percentage of bad URIs. I'm not sure if this SUBL
stuff does that or not.) And, the URIs aren't going into a database
based off messages, so there is no danger of joe jobs.

Richard Laager
Wikstrom Telecom Internet

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQHtdkG31OrleHxvOEQIPkwCg5KDHynym0btADSNuJOIyx/rm+BIAoIbx
VKIYVICtf9byij9ye8zQbuMr
=T2oO
-----END PGP SIGNATURE-----

More information about the MIMEDefang mailing list