[ale] DSPAM

Chris Ricker kaboom at gatech.edu
Fri Apr 30 10:14:56 EDT 2004


On Thu, 29 Apr 2004, James P. Kinney III wrote:

> It basically started passing too much spam. I would adjust the spam
> scores and stuff would get marked but the false positives were so high
> it was almost as much of a problem. Plus the slight changes to the spam
> would not get picked up by spamassassin.=20

SA works fine, but you have to stay on top of its filters for it to be 
effective. Spam's an arms race, so as spammers come out with new methods to 
work around existing filters, you have to add more to block them....

The general approach I use with SA, both for my employer's corporate email
setup (~1500 employees) and for various consulting clients:

1. reject email to non-existant addresses
2. virus-scan rest and drop all the worms
3. sa what's left
   a. drop everything over a cutoff sa score (say, 30, or something high 
like that)
   b. flag everything between the cutoff and a much lower score (say, 6) as 
spam, but deliver it to the client where it's sorted separately
   c. provide folders / email addresses for missed spam and falsely-tagged 
ham for automatic correction of the Bayesian db's
   d. monitor missed spam from (c) and add new rules as necessary to catch 
it in the future. <http://www.rulesemporium.com/> is a good starting place 
for more rules / docs on writing your own

Adding more rules as spamming techniques evolve is the key. Tweaking points, 
thresholds, etc. won't gain you much. 

That's going to be true of any filter-based approach to spam-blocking.... 
Statistical / heuristic approaches avoid the need to update filters, but 
spammers are starting to learn how to game them fairly effectively.

later,
chris



More information about the Ale mailing list