[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More sorbs blacklisting

On Thu, Jun 29, 2006 at 12:49:43PM +0100, John Kelly wrote:
> Spammers turn to images to fool filters
> http://news.yahoo.com/s/ap/20060628/ap_on_hi_te/spam_images;_ylt=An8NruBEo7Speg9bvdRayHsRSLMF;_ylu=X3oDMTA4ZnRnZjhkBHNlYwMxNjk1

spammers have been doing this for years.

it's easy to block.

1. SpamAssassin can detect messages which have very little text plus an
embedded image.

2. block *all* embedded images. not mere attachments, but those embedded
with a cid: url. works for me and i haven't had a single false-positive
in all the years i've been doing this.

> Like I said,
> > I believe content filters are less effective than the method
> > I use, which starts by demanding proper DNS
> Content filtering is a losing proposition.  The best way forward is
> sender filtering, which starts by demanding proper DNS.

sender filtering is a useful part of an anti-spam system, but it's not
the panacea you think it is. and requiring reverse DNS is nowhere near
as useful as you think it is.

any anti-spam system that actually works (i.e. achieves significantly
better than 99% spam-blocking rate) uses multiple different techniques
- sender & helo blacklists, RBLs, DULs, body checks, header checks, dns
checks (including checking the MX record of the sender domain), content
filtering with SA, virus checking, requiring an FQDN that actually
exists in the DNS for HELO/EHLO, and more.

relying on just one of them is going to guarantee that a lot of spam
gets though. e.g. that last one (requiring an FQDN address) consistently
accounts for over a third of all spam blocked by my machines - but i'd
be a fool to just rely on that....i don't want to block only a third, i
want to block all of it if i can (but will settle for 99.5% or better).


craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to: