?

Log in

No account? Create an account

fanf

Spammed to death

« previous entry | next entry »
11th Mar 2004 | 15:25

Here are the counts of messages that landed in my spam folder each day in the last few weeks. I recently moved my personal email from Chiark to Hermes because I needed the content filtering. Note that these numbers do not include the thousand-or-so viruses each day that are forwarded from Chiark and deleted by Hermes.



37 Fri Feb 20 2004
42 Sat Feb 21 2004
37 Sun Feb 22 2004
26 Mon Feb 23 2004
15 Tue Feb 24 2004
25 Wed Feb 25 2004
35 Thu Feb 26 2004
41 Fri Feb 27 2004
45 Sat Feb 28 2004
58 Sun Feb 29 2004
33 Mon Mar 01 2004
49 Tue Mar 02 2004
110 Wed Mar 03 2004
371 Thu Mar 04 2004
452 Fri Mar 05 2004
348 Sat Mar 06 2004
287 Sun Mar 07 2004
556 Mon Mar 08 2004
441 Tue Mar 09 2004
377 Wed Mar 10 2004
265 Thu Mar 11 2004

| Leave a comment | Share

Comments {13}

Pete

from: pjc50
date: 11th Mar 2004 07:48 (UTC)

So hermes' content filtering is better than chiark's? What happened to the much vaunted SAUCE?

Reply | Thread

Peter Maydell

from: pm215
date: 11th Mar 2004 07:50 (UTC)

I suspect that quite a bit of SAUCE's effectiveness is just due to the greylisting it does. The admins at work recently put a simple greylist in place (first time it sees you it gives you a 4xx error) and this has hugely reduced my spam volumes.

Unfortunately you can't configure SAUCE to give you the greylisting without the RFC-policing.

Reply | Parent | Thread

Sion

from: sion_a
date: 11th Mar 2004 08:09 (UTC)

The other thing which contributes to SAUCE's effectiveness is use of RBLs -- I have a lax policy but for the last three months have been filtering out anything that triggers RBL warnings. This catches about 95% of spam, and has had one false positive so far (official ntlworld customer announcement).

Demon's new spam filtering is probably doing about as well (but I can't see false positives) -- where it's really failing me is in letting through what look to me are going to be viruses. Including one allegedly from esr....

Reply | Parent | Thread

The Lusercop

from: lusercop
date: 11th Mar 2004 09:38 (UTC)

I'd disagree. I think that greylisting has to work in conjunction with blacklisting. Many more systems are trying again and again (maybe they use random data which isn't, or some such). You want to give them the opportunity to blacklist themselves. In my reckoning, it takes around a year or two from an address appearing on an indexed webpage to being in sufficient numbers of spam lists to make this useful, but I see lots of hits to my bait addresses.

What is irritating about SAUCE is that things like SpamAssassin, and other IDS systems (eg looking for default.ida or cmd.exe in your web access logs) can't easily feed information back into it.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 11th Mar 2004 09:45 (UTC)

I'm planning to maintain my own blacklist of virus-emitting hosts, on the basis that they are likely to become spam-emitting hosts in the future. I'll probably create some bait addresses too, which will also feed into the blacklist.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 11th Mar 2004 08:00 (UTC)

SAUCE doesn't do content filtering (yet).

I would like to do greylisting on Hermes, preferably within Exim (so it requires some implementation work).

Reply | Parent | Thread

The Lusercop

from: lusercop
date: 11th Mar 2004 08:41 (UTC)

It's possible to do it entirely with ${perl } stuff and ACL rules, I believe. Not terribly difficult.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 11th Mar 2004 08:43 (UTC)

I don't intend to embed Perl in Exim on ppsw :-)

Reply | Parent | Thread

The Lusercop

from: lusercop
date: 11th Mar 2004 08:49 (UTC)

spoilsport!

The main difficulty is the same one I encountered in my filter file magic, you have to save out to a state database that you can clean out in a sensible way, and read back. Everything else is pretty easy. SAUCE gets around a lot of the problems by being single-process, but event driven, which means that it can keep state in memory, writing it out to a journal. I think an arbitrarily keyed save/lookup mechanism set in expand.c wouldn't be such a bad thing...

Reply | Parent | Thread

Tony Finch

from: fanf
date: 11th Mar 2004 08:52 (UTC)

Especially with support from exim_tidydb.

Reply | Parent | Thread

The Lusercop

from: lusercop
date: 11th Mar 2004 09:07 (UTC)

Yup!

Reply | Parent | Thread

Col

from: cjwatson
date: 11th Mar 2004 08:36 (UTC)

Tony seems to use a lax sauce-policy, which makes it considerably less fascist.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 11th Mar 2004 08:42 (UTC)

Ah I see I forgot about the :dotat policy. Bah, etc.

Reply | Parent | Thread