on Tue, Sep 09, 2003 at 11:07:39AM +1000, Craig Sanders (cas@taz.net.au) wrote:
> On Sun, Sep 07, 2003 at 11:09:57PM -0700, Steve Lamb wrote:
> > On Mon, 8 Sep 2003 15:40:15 +1000
> > Matthew Palmer <mpalmer@debian.org> wrote:
> > > On Mon, Sep 08, 2003 at 06:04:39AM +0100, Karsten M. Self wrote:
> > > > I'm coming to the view that we're approaching the era where all mail is
> > > > going to have to be subject to filtering, at the MTA level.
> >
> > > Depends on how useful you want your e-mail box to be. <g>
> >
> > It has been my experience that filtering at the MTA level has increased
> > the usefulness of my mailbox considerably.
>
> <aol> me too </aol>
>
> stats from last week's mail.log (from my home mail server which handles mail
> for about half a dozen people):
>
> 1 Bad HELO
> 10 RBL proxies.relays.monkeys.com
> 11 Recipient Domain Not Found
> 22 RBL relays.ordb.org
> 25 strict 7-bit headers
> 31 Relay access denied
> 32 RBL taiwan.blackholes.us
> 34 Sobig.F Virus
> 42 body checks
> 49 RBL spamdomains.blackholes.easynet.nl
> 56 header checks
> 61 RBL dnsbl.sorbs.net
> 182 IP Address in HELO
> 193 RBL brazil.blackholes.us
> 218 RBL blackholes.easynet.nl
> 271 Local access rule: Helo command rejected
> 342 RBL hongkong.blackholes.us
> 492 RBL dynablock.easynet.nl
> 924 RBL sbl.spamhaus.org
> 1080 Local address forgery
> 1099 Recipient address rejected
> 1133 Sender Domain Not Found
> 1771 RBL list.dsbl.org
> 1825 Dynamic IP Trespass
> 1902 RBL cn-kr.blackholes.us
> 2471 Local access rule: Client host rejected
> 3005 Need FQDN address
> 3581 Local access rule: Sender address rejected
> 4267 User unknown
>
> 25130 TOTAL
>
>
> Spamassassin stats:
> 382 spam
> 4093 clean
> 4475 TOTAL
>
> Percentages:
> spam:non-spam (25512/29605) 86.17%
> accepted spam (382/4475) 8.54%
> rejected spam (25130/25512) 98.50%
>
>
> i'm reasonably happy with that. 98.5% of all spam was rejected
> outright. only 382 spams (1.5%) made it through my postfix access
> lists, RBLs, etc to be tagged by spamassassin.
I'd argue that differently.
You've blocked a total of 6016 mails of 55,117 attempted deliveries,
based on the IP address of the sending MTA's IP address. That's a broad
rejection policy. As many people have noted, for pretty much _any_
given IP, your odds are good that most of the mail received from it is
spam. It doesn't do much for the legit mail that comes through. Given
that we now _do_ have good content/context based filters for assessing
spam likelihood for a given mail item, blind use of RBLs should be
discouraged. It's the same sort of thinking that's causing no end of
trouble for people trying to communicate with AOL users:
http://z.iwethey.org/forums/render/content/show?contentid=96264
http://yro.slashdot.org/yro/03/04/13/2215207.shtml?tid=120
I'd recommend alternative approaches -- using RBLs as weighted
indicators, denying first-receipt of mail from such hosts (backing up
their mail queues),
> these stats also demonstrate just how bad the spam problem has become.
> 86% of all attempts to deliver mail to my server were spam, ~25500
> spams and ~4100 legit messages.
No doubt.
> if i wasn't blocking spam at the MTA, then at least half of those
> spams would have ended up in MY personal mailbox (or, more likely,
> tagged by spamassassin and saved into my spam.incoming
> folder)....about 13000 more spams than i currently receive.
The difference between what I'm advocating and what you're doing: run
SpamAssassin _at_ _SMTP_ _receipt_, not after accepting the message for
delivery. Exim4 allows this readily.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
"Charming man," he said. "I wish I had a daughter so I could forbid
her to marry one ..."
-- HHGTG
Attachment:
pgpSwJyVDfCIA.pgp
Description: PGP signature