[ale] DSPAM
Chris Ricker
kaboom at gatech.edu
Fri Apr 30 10:14:56 EDT 2004
On Thu, 29 Apr 2004, James P. Kinney III wrote:
> It basically started passing too much spam. I would adjust the spam
> scores and stuff would get marked but the false positives were so high
> it was almost as much of a problem. Plus the slight changes to the spam
> would not get picked up by spamassassin.=20
SA works fine, but you have to stay on top of its filters for it to be
effective. Spam's an arms race, so as spammers come out with new methods to
work around existing filters, you have to add more to block them....
The general approach I use with SA, both for my employer's corporate email
setup (~1500 employees) and for various consulting clients:
1. reject email to non-existant addresses
2. virus-scan rest and drop all the worms
3. sa what's left
a. drop everything over a cutoff sa score (say, 30, or something high
like that)
b. flag everything between the cutoff and a much lower score (say, 6) as
spam, but deliver it to the client where it's sorted separately
c. provide folders / email addresses for missed spam and falsely-tagged
ham for automatic correction of the Bayesian db's
d. monitor missed spam from (c) and add new rules as necessary to catch
it in the future. <http://www.rulesemporium.com/> is a good starting place
for more rules / docs on writing your own
Adding more rules as spamming techniques evolve is the key. Tweaking points,
thresholds, etc. won't gain you much.
That's going to be true of any filter-based approach to spam-blocking....
Statistical / heuristic approaches avoid the need to update filters, but
spammers are starting to learn how to game them fairly effectively.
later,
chris
More information about the Ale
mailing list