spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Very spammy messages yield BAYES_00 (-1.9)
Date Fri, 17 Aug 2012 15:53:53 GMT
On Fri, 17 Aug 2012, Bowie Bailey wrote:

> On 8/17/2012 10:56 AM, Ben Johnson wrote:
>>  Basically, I need to do something about the spam inundation, as soon as
>>  possible.
>
> The quickest way I know of to reduce spam is to reject mail at the MTA based 
> on the zen.spamhaus.org blacklist.  I have been using this for a few years 
> now.  It blocks lots of spam and I haven't had any problems with it.

+1 for zen.spamhaus.org DNSBL at SMTP time.

> You can also implement graylisting, although it will slow down mail delivery 
> from new senders, which may or may not be an issue for you.  I haven't tried 
> it, but lots of people swear by it.

As for Greylisting, a lot of spam is least-effort one-shot no-retry 
delivery, but not all. It won't reduce spam that is sent via a "proper" 
MTA or via a spambot that does retry-until-successful. You can set a short 
delay period to block the one-attempt-gush spammers, or a longer delay 
period to give new spamvertised domain names a chance to appear in URIBLs 
for the spammers who retry. And, of course, you have to balance this 
against your users' expectations for delivery time, and perhaps do some 
education to set those expectations more realistically.

I use greylisting, with whitelists for regular correspondents.

There are some other MTA SMTP-time methods to pluck the low-hanging fruit:

Publishing an SPF record. There's anecdotal evidence that it cuts down on 
joe-job attempts.

Even if you publish an SPF record, you might want to explicltly reject 
>From addresses in your domain if the message is received from the 
Internet. This can be done using SPF, but you may not be comfortable doing 
SMTP-time rejects based on SPF failures.

Something I have fairly good results with is rejecting mail from the 
Internet where the HELO is not a fully-qualified domain name.

Since my MTA is the only valid source for email from my domain, I also 
reject messages where the HELO is in my domain. You will, of course, have 
to carve out exceptions to this rule for valid outbound mail. On a 
multihomed MTA or an MTA where outbound mail is submitted via an SSL 
tunnel this is pretty easy.

For the above, if you have Sendmail I recommend milter-regex; my 
milter-regex.conf is available here:

   http://www.impsec.org/~jhardin/antispam/milter-regex.conf

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Ignorance is no excuse for a law.
-----------------------------------------------------------------------
  7 days until the 1933rd anniversary of the destruction of Pompeii

Mime
View raw message