It seems more and more spam is getting through my spamassassin settings, so I've been re-evaluating my rules, looking at what others are using and seeing what comes through and what doesn't.. Came up with a little set of rules which appears to be helping quite a bit. I have yet to come up with a false positive with these, but your mileage may very depending on who emails you and how (I never get html email, for instance, so that can be scored high).
RCVD_IN_SORBS is downgraded to zero, since I just discovered it's giving a positive match to mail.dslr.net which is not listed -- hence the blacklist is not reliable.
Note: I use a required_hits setting of 5
HABEAS_SWE=2
HTML_FONT_BIG=2
HTML_FONT_COLOR_RED=2
HTML_IMAGE_ONLY=4
HTML_MESSAGE=2
MIME_HTML_MOSTLY=2
MIME_HTML_ONLY=3
RCVD_IN_BL_SPAMCOP_NET=2
RCVD_IN_DSBL=2
RCVD_IN_DYNABLOCK=2
RCVD_IN_NJABL=2
RCVD_IN_NJABL_PROXY=2
RCVD_IN_SBL=2
RCVD_IN_SORBS=0
UPPERCASE_20_50=2
TrackBack URL for this entry: http://www.unix-girl.com/mt/mt-tb.cgi/1167
Hi Kasia -- it would probably be better to set RCVD_IN_SORBS to something just above 0, like 0.001. Why? Because, while the basic lookup itself is pretty useless, it provides info for other, much more accurate rules -- like RCVD_IN_SORBS_HTTP, which hit 44% of spam with a 99.5% accuracy rating during the 2.6x rescoring run.
--j.
#You _do_ train your SA, do you? It seems most people I talk to that spend time writing new rules do not bother learning their filters about the spam they receive. For me, the stock rules work almost perfect (it's a bit slow on learning that most Habeas-mark mail I receive is spam, but accept for that, it does exactly what I want).
My biggest irritation are all those bounces I get because of masks where I'm in the address book of somebody and the mask sends mail with me as sender (number two are stupid virusscanners sending mail to the "sender", not the intended recipient).
#I don't know if they've changed their policies in the meantime maybe, but last I heard a lot of people were pissed about Spamcop as well — they will blacklist domains used as spoofed sender addresses. They've even blacklisted amazon.com at some point.
To add insult to injury, they will only correspond with abuse@$REVERSE_LOOKUP_DOMAIN, which would be abuse@your-isp.net if you're surfing from an ISP connection at home. You would have to SSH into your webserver and bring up their contact form using lynx or something, I guess. Very funny, really.
#I don't know if they've changed their policies in the meantime maybe, but last I heard a lot of people were pissed about Spamcop as well — they will blacklist domains used as spoofed sender addresses. They've even blacklisted amazon.com at some point.
To add insult to injury, they will only correspond with abuse@$REVERSE_LOOKUP_DOMAIN, which would be abuse@your-isp.net if you're surfing from an ISP connection at home. You would have to SSH into your webserver and bring up their contact form using lynx or something, I guess. Very funny, really.
#Pontus, yes, of course.. for the longest time I've seen no spam, then it slowly started trickling in and recently it's been 5+ a day coming through. Hence new rules, so far, no spam and no false positives.
#Look into greylisting in front of SA. Works a charm so far, and takes a helluva load off SA.
http://projects.puremagic.com/greylisting/
#Kasia's SpamAssassin rules post reminded me of something that's not well publicized (unless you happen to be on the SpamAssassin mailing list(s)). The SpamAssassin Custom Rule Emporium is the place to go for additional rules you can drop in to your SA...
(read more)
March 21, 2004 02:56 PM
Another NYT article in today’s “Circuits” section is called “Stand and Fight: An Arsenal for Spam Victims.” Unfortunately, it deals mostly with commercial anti-spam tools, and I’ve mentioned my problems with these be...
(read more)
March 25, 2004 01:19 PM