[wplug] SpamAssassin

Bill Moran wmoran at potentialtech.com
Sat Apr 3 17:46:13 EST 2004 

Lance Tost wrote:
> On Fri, 2 Apr 2004, Bill Moran wrote:
> 
>>I'm not a big fan of _any_ content filter for a number of reasons:
>>1) It's like painting over the rust.  Someone out there is junkmailing you
>>    (either viruses or spam), block it at the source
> 
> In an ideal world, this may be possible.

True, but the lack of an ideal world to implement it in does not mean that
it has no merit whatsoever in the non-ideal reality.

>>2) It puts you in a constant game of "block something, then they work out
>>    a way around it".  How many spams have you seen with v1agra in the text,
>>    in an attempt to fool content filters like spam assassin?  I'm just not
>>    interested in playing that game.
> 
> Nobody's interested in playing this game.  But what can you do?

I can't argue with you there, not even a little.  But I still don't like it.

>>3) While sa is OK on CPU usage, it's high compared to actually blocking the
>>    source of the problem.  It's also time-consuming, look at the length of
>>    time it takes to process your messages once sa is in the loop.  This is
>>    probably of little concern when you have a small mail server with only
>>    a few dozen addresses, but it loads a big, corporate server badly.
> 
> Explain to me how to block the source of the problem.  Where I work, we 
> block about 8,000-10,000 messages a day out of probably 12,000-15,000 
> total using PureMessage (a commerical product based somewhat on 
> Spamassassin).  Out of these spam messages, typically no more than 10-15 a 
> day come from the same IP.

I covered this in an earlier email, see:
http://www.wplug.org/pipermail/wplug/2004-April/010205.html

#1 is the most effective, and easiest to implement.
#2 is moderately effective, and very easy to implement.
#3 is the most time-consuming to implement, but (over time) is proving to be fairly
effective, as we start to isolate entire domains that are sources of spam.  In fact,
we have a couple of countries that we've blocked because it seems the entire country
is spam-friendly.  #3 is also something that may not easily be used by others.  For
example, I block all .ar domains.  I don't speak whatever language is spoken in .ar ...
I don't have any customers from .ar, and I don't expect to ever have any ... as a
result, by blocking all .ar domains, I stop a LOT of spam, with very little chance
of ever hurting my business communication.  We also have a web page up
(http://www.potentialtech.com/abuse.php) that the bounce message directs people
to.  We're finding that the people who are getting bounces don't seem to care.
For example, we bounced 2773 messages in March, of those, only 3 people visited the
page referenced in the bounce message ... to me, this means that spammers already
know why they got bounced and don't care.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list