On Wed, 10 Sep 2003 15:46:28 +1000
Craig Sanders <cas@taz.net.au> wrote:
> my system rejected them as spam, so they were spam (or so likely to be spam
> as makes no difference).
There is a difference between it being spam because of it coming from an
IP block and it actually being spam. Or are you saying that it is
inconceivable that someone in Taiwan using Debian might want to contact you?
> i choose not to, because there is a fairly high risk of SMTP session
> timeouts when the system is under heavy load, resulting in a) repeat
> attempts to deliver the same mail to my server (wasting more bandwidth and
> CPU power to scan it), and b) the small possibility of an undesirable
> feedback loop of ever-increasing loadavg.
Given the stats here of people reporting the time per second of SA
scanning at SMTP time and your reported load I can assure you that the chances
of you getting SMTP timeouts because of SA would be remote at best. You're
not AOL, you're not Earthlink/Mindspring. You've got, what, 40 users total?
> it's less hassle and less dangerous to just accept it, classify it, tag it
> if necessary, and deliver it....the MDA can filter it as appropriate.
You mean use unilateral checks (which SA already supports) to filter
things out of hand when better method are available, THEN accept...
> 382 tagged in a week, about half of which go to my SPAM.incoming folder (the
> rest go to other users, so don't concern me directly). most are nigerian
> 419 scams and can be ignored, a handful have extra domains/ip
> addresses/phrases to add to my lists.
http://lists.debian.org/debian-user/2003/debian-user-200308/msg00154.html
4 a week here. Granted my volume seems to be lower than yours so lets
scale up. You get 25k/week, I get 2324 a week. Round to 2300 for easier
math. 2300/25k = 9.2% So, 4 * 10 (round up since its easier and adds, not
subtracts, to my total) = 40. At your mail load I'd get 40/week delivered,
tagged as spam by SA. The spam that gets through undetected completely is a
magnitude less. 4/month at your load would be about right. Of course that is
for my personal account. I did say it was 22/week total for all account.
Even so, 220 is 160 less than what you're pawing through. Mind you that 220
figure also comes from a presumed linear progression of spam at the current
scoring levels. I do not believe that to be the case. If I were getting more
spam I believe SA would reject a larger percentage outright. But hey, that
would help my case so I'll be nice and let that slide.
So what miraculous things am I doing. SA at SMTP, reject anything over 8,
tag and deliver anything between 5-8, autolearn over 12 and just to be nasty,
teergrube anything over 15. Back then I had exactly 0 custom SA rules. Today
I have 6 rules which I could consolidate down to 1 if I felt like making a
more complex regex; systems accounts for the machine I secondary for,
wonderful honeypot for me. Once a day I fire up a tool I wrote to help me
sort through the narrow range thats let through and I hit one of 3 buttons:
H = ham
S = Spam
D = Delete
Ham it sends to sa-learn as ham and sends a revoke to razor. Spam sends
to sa-learn as spam and sends a report to razor. Delete just deletes. O can
normally go through the 20-30 piece of mail that is tagged at the current
levels in about, ohhh, 5 minutes tops. More like 2 and most of that is
waiting on the Bayesian classifier to learn the message.
> not exactly what i'd call an excessive or obsessive work-load.
> it's not even enough of a workload to bother using procmail rules to drop
> extremely high scoring spams into /dev/null
Really. How many postfix rules do you have that you hand crafted? How
many SA rules? I edited sa-exim.conf once a looong time ago and the package
added the configuration line in for me. I have 6 SA rules. I spend less than
5m/day on maintaining the rules which, in all honesty, I don't have to since
those messages are tagged as spam anyway. I just do it since they aren't
autolearned and I want to verify them and report them to razor so others won't
get hit. I'm doing so little work and in the end I am getting a far lower
relative spam load than you are with how many rules again? Qutie a bit more
since I'm not adding IP blocks and domain blocks and extra spam words to the
SA filters. From my perspective you're going through all this extra work,
obsessing over a problem and getting worse results for it.
> > But then, I'm running Exim which has inferior spam prevention
> > techniques compared to the all-powerful Postfix. Obviously I should
> > be getting far more than you... right?
> more than the 1.5% of spam that makes it through my postfix filters to be
> tagged by SA? i suspect that you do.
22 of 2324/week. .009% by my math. That's 1.41% less than you for a lot
less work. Learn to use your tools, man.
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
Attachment:
pgpl6YW0A62SE.pgp
Description: PGP signature