From: "Tim" <ignored_mailbox@xxxxxxxxxxxx>
Aaron Konstam:
You are asking a lot form a spam filter.
Not really, it's the computer, not me... ;-)
But let me share with you this:
1. For the first time spamassassiin really works with evolution in f7.
I get no more that 1 spam message a week out of maybe a 1000 messages.
I picked on that one as just an example, but it's the only one available
from my various mail hosts. As I said before, it needs to be done on
the server. Else *YOU* are still getting spam (wasting storage space
and downloading it), and lost mail gets silently discarded or you have
to manually check. And that's the problem, where it's remotely
installed, its not modifiable enough by me to be worth it.
Search for "greylist". That is the technique for which you are groping.
2. It is impossible to run a spam filter without checking the junk
folder since you will lose a few files that you wanted to see. Training
in this regard is everything.
Yes, and no.
You can run spam systems that do the poison bait test that I outlined,
and nothing more. If anything posts to my bait address, it gets marked
as spam, 100% error free. The same message posted, separately, to my
other accounts is identified as spam, also with 100% certainty. Such
tests can be done without further care.
You can also do other tests, giving them less certainty, but I found it
not necessary. The spam I was getting was always addressed to all of my
contacts. Sometimes as separate messages, sent at the same time,
sometimes as one message addressed to a few of them.
That cuts down on random address spam. It does nothing for directly
addressed spam. So consider this technique as a variant on greylisting,
a technique to cut down on mailer load.
3. Asking your spam filter to notify the spam senders is crazy. Why
would I want all the cialis vender's and Nigeria con men to know their
mail did not get through.
You're thinking about this from just one point of view.
Firstly, let's look at killing spam: If it's spam, you don't want it,
obviously. If you *reject* at the input stage, it's like firewalling.
They fail. And it's better that they know that. Auto spam systems can
give up on your address, giving the world a bit less traffic to deal
with. Scattergun spammers, not caring about the response, aren't given
anything more useful to them than your system silently accepting their
spam. They already have your address.
Secondly, let's look at not killing non-spam (ham): You have someone
trying to mail you who should be able to, but for some reason their
message triggers the spam detector. If that was your long lost brother,
your boss telling you something important, your potential client asking
you something or accepting your quote, etc., and it's silently rejected,
you've lost out something important, perhaps permanently. If you have
to check your junk mail, personally, why bother having an anti-spam
system in the first place? And you might check it too late to be any
good. But, if your system rejects the message, with a notification,
that sender has the chance to try resending it, differently, so that it
gets through. Think of making phone calls; if it's busy, the caller
tries again; if it rings and rings, they don't know what to do; if it
takes a message, they expect that someone will listen to it.
This is at the SMTP level. It doesn't backfire onto some faked address,
spamming yet another person. If they'd connected directly to your SMTP
server, part way through *trying* to send it'd abort and pop up a
warning (just the same as you'll see on some systems if you try to post
to a non-existent address). If they'd sent through their ISP's SMTP
server, they'd send it, and moments later their ISP mail system would
bounce it back to them, to their mailbox, not to someone else's address
fraudulently written in the spam's "from" field.
The notification would be of this sort: Your message could not be
delivered, because the anti-spam system has determined the message to be
spam. If this is not correct, you can try re-sending your message, but
in a slightly different manner. e.g. Turn off HTML, send it as plain
text, send your message without a 20 meg file attached to it, send your
message without an executable file attached, send your message without
content similar to many spams (i.e. don't quote spam content to us),
telephone us if you are having trouble, etc.
A real person will see that, and make some adjustments and try again.
Most spammers will not see that, and not hand craft a spam for one
person in a million. Some spammers may look at the rejection notices
that they get back, but those that are going to try again are still
going to spam you with the something that triggers the spam detection,
just about all their attempts at obfuscation are detectable. And again,
they're not going to do this just for you, but for all their victims,
increasing the chances that anti-spam system updates will also catch
them.
Tim, there is no quicker way to get on my email s**t list than polluting
my mailbox with your decision process, PARTICULARLY if it involves any
mailing list messags. A proper sendmail rejection notice would result
in a bounce from my sendmail process, which I already tend to filter
out. Even so it is annoying when I get one for spurious reasons. Of course,
for spam the concept of overloading the virus victim's inbox with crap
sounce viscerally pleasing if rather pointless. He'll never figure out
why he's getting all that nonsense about rejected emails he never sent.
Treat email as an analog to snail mail. So your mailbox overflows with
<censored>. You keep a trash bucket next to the mailbox and drop the
obvious junk as you pull it out - you abort the sendmail transaction.
Then you perform secondary filtering - bulk rate mail from unknown
address gets shredded and disposed of without opening it. (procmail
can do this.) You also check the first line or two of the doubtful
snail mails, very few by this point, and chuck the spams (spamassassin
with procmail for the chucking). Then you take it into the house.
Automated scanning is not as good as human scanning. So you have the
automation provide you with a score that can easily sort emails by the
quality of the spam assertion. You check the doubtful ones.
As it happens I load an otherwise idle firewall machine with the email
checks. And I get angry if I get one spam a week make it through, out of
around 75 to 100 spams a day (down from a much higher number for reasons
I don't understand.) That's out of about 700 to 1000 emails a day - this
list, FreeBSD, and LKML are VERY busy lists. {^_-}
4. I guess being a New Yorker I have a thicker skin. I have never gotten
a message from a crazy that I felt would damage my equilibrium. If one
appears I put him in my blacklist and he disappears.
I'd simply rather not have to bother. Though, at times, I've sent their
replies back to the public list. They don't usually pull that stunt
again, on anyone. Some even unsubscribe.
I find blacklists mostly a waste of time. I've got to fiddle around on
more than one client, usually, and those sorts of people will change
addresses so they can continue to be a pain. And there's a certain
level of satisfaction in hitting the delete button.
I will also respond to the following, despite your feeling about it
drifting away from topic, as it's a topic that needs occasionally
bringing up, the separation of public and private mail, in general. It
goes beyond the two of us, at this stage it's pertinent, and I don't
think the thread has dragged on hideously (like some tangental posts
do). Not yet, at least. ;-)
If you are dealing with more than one modest modern family your problems
are quite different from mine. You face the serious problem that what
I might consider to be ham would be spam for someone else. And some people
are kinky and like "those kind of spams". BUT - any company that has the
temerity to simply toss "dubious spam" headed my way is one I cannot use
for email. When serving a lot of people do consider greylisting. That is
an astoundingly effective technique, normally speaking. Also run only very
conservative spamassassin rule lists and block lists via spamassassin. If
you use block lists in sendmail then arrange to use several with a scoring
mechanism based on their historical goodness at your location.
{^_^}
