Re: [ILUG] spam

From: Paul Jakma (paul at domain clubi.ie)
Date: Wed 03 Jul 2002 - 00:26:26 IST

• Next message: kevin lyda: "[ILUG] openssh and security release procedure..."
• Previous message: Mr. Mark: "[ILUG] Business Proposal"
• In reply to: Ronan Waide: "Re: [ILUG] spam"
• Next in thread: Waider: "Re: [ILUG] spam"
• Reply: Waider: "Re: [ILUG] spam"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

On Tue, 2 Jul 2002, Ronan Waide wrote:

> Why not razor? After all, the more spam razor is fed, the better it
> is at blocking.

hmm...

anyone use razor? how much spam does it catch do you know?

it seems to me razor is 'signature-based', not lexical (eg via
regexps). Eg, afaict from the feature list, it uses some message
digests and some kind of statistical signature method. (where the
signatures are community submitted).

dont think that'd catch everything for me. but a combination of
various methods'd be good...

at the moment i have 2:

1. milter which checks all IPs found in Received headers against
specified blacklists, and adds a warning for each positive match.

2. procmail scoring rules that look for various regexp's. (i have
about 376 of them at the moment - must go cull spamassasin for more).

- i've to add a whitelist feature to this (whitelist is embedded at
  the moment)

- still have to fine-tune it a bit, and get more regexps.

- it currently tends to trigger on very long emails (eg ones with
attachments), perhaps not completely a bad thing, but i might add a
rule to give a small amount of 'goodness' for number of lines.

- it looks for the header generated by 1.

- it doesnt always catch the nigerian scam-spam, one thing that
impresses me is these boys do put a bit of effort into the writing
the emails, they all tend to be reasonably different, least there
aren't a set of hard-and-vast regexps you can trap them with - to my
feeble mind anyway. so i just score on occurence of
nigeria|congo|kabila|mubutu|etc.. at the moment.

- it tends to catch a lot of marketing blurb, eg from register.com.
so i basically filter my work email to a folder first, as well as
addresses i've used to signup to things (eg register.com) that i care
about.

anyway, between the above 2, the vast majority of my spam ends up in
my spam folder. (v. long mails and ones with big attachments
excepted). eg, in the last 2 days i've received about 150 spams, of
which about 3 werent caught (1 nigerian spam), also 1 email went to
spam folder. (had a video attached - windows asf format too, pah.)

anyway, 4 for ~150 - good enough for me.

might look at adding razor to the mix, but as ken points out, you
then rely on others to filter your mail - not sure if i like that.

also, i might one day turn the procmail scoring ruleset into a C
milter - once i get it fine-tuned to a point i'm happy with.

> Cheers,
> Waider.

regards,

-- 
Paul Jakma	paul at domain clubi.ie	paul at domain jakma.org	Key ID: 64A2FF6A
Fortune:
	... with liberty and justice for all ... who can afford it.

• Next message: kevin lyda: "[ILUG] openssh and security release procedure..."
• Previous message: Mr. Mark: "[ILUG] Business Proposal"
• In reply to: Ronan Waide: "Re: [ILUG] spam"
• Next in thread: Waider: "Re: [ILUG] spam"
• Reply: Waider: "Re: [ILUG] spam"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:39 GMT