[Mimedefang] Spam Discard Help

Lucas Albers admin at cs.montana.edu
Tue Feb 17 13:53:29 EST 2004 

David F. Skoll said:
> On Tue, 17 Feb 2004, Dean Davis wrote:
>
>> I've attempted to use the following example to drop/forward Spam to no
>> avail:
>> # Begin Spam Drop
>> if ($message_is_spam) {

When I discard I do it like such:
action_quarantine_entire_message();
action_discard();

Always! through in a quarantine on mail you reject so you can recover it
later if needed. (excluding virus's.)

This is if you plan to discard mail with no notification.
Which I do, on an external relay, because bouncing it will just redirect
the sender to the main server.
Remember two things.

Absolutelly no false positives.
No aggressive optimizations of your rule sets.
Use the stock GA optimized SA rules, designed to give you the lowest false
postives.
Don't overly tweak your rule sets, you will catch more spam, but you will
raise your false postiives.
(On my internal mail servers that bounce mail, I tweak the rule sets like
crazy, but I don't discard on them, I bounce them.)

If you set your discard to a relativelly high threshold, you should not
have any FP based on the FP statistical analysis of the GA assigned rule
sets.
But the higher the score the higher the percentage of spam that will slip by.

These are some numbers to think about:
# SUMMARY for threshold 12.0:
# False positives:         0  0.00%  (0.00% of nonspam,      0 weighted)
# False negatives:      7211  13.10%  (18.87% of spam,  59620 weighted)

# SUMMARY for threshold 15.0:
# False positives:         0  0.00%  (0.00% of nonspam,      0 weighted)
# False negatives:     10527  19.13%  (27.55% of spam, 104293 weighted)

# SUMMARY for threshold 17.0:
# False positives:         0  0.00%  (0.00% of nonspam,      0 weighted)
# False negatives:     12790  23.24%  (33.47% of spam, 140517 weighted)

False positives are 1000 times worse then false negatives.

This is playing with fire, understand mimedefang and SA before you do this,
and understand the risks involved with directly discarding mail tagged as
spam.
If you are just installing a new installation of SA then DON'T do this.
Make sure you DON'T get in trouble from management for doing this.
This violates NUMEROUS RFC's namely, that mail should NEVER be discarded
with NO notification to the sender.

If you can guaranteee that no mail can slip by your relay, because your
internal mail server does not allow direct connections, then bouncing
gives you ALL OF THE BENEFITS of this, and NONE OF THE DRAWBACKS.

In my situation I cannot control access to one internal mail server, and I
understand the risks, and so I do it.
So far I've handled 60K messages with no complaints.
On high load sites, statistically you will get false postives that are not
reflected by the GA scores, as they don not have a large enough
corpus.imo.

To reiterate don't do a direct discard of mail based solely on spam score.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

More information about the MIMEDefang mailing list