spam avoidance (was Re: cpu speed problem)

[jdow]

From: "Tim" <ignored_mailbox at yahoo.com.au>

> Aaron Konstam:
>> You are asking a lot form a spam filter.
> 
> Not really, it's the computer, not me...  ;-)
> 
>> But let me share with you this:
>> 1. For the first time spamassassiin really works with evolution in f7.
>> I get no more that 1 spam message a week out of maybe a 1000 messages.
> 
> I picked on that one as just an example, but it's the only one available
> from my various mail hosts.  As I said before, it needs to be done on
> the server.  Else *YOU* are still getting spam (wasting storage space
> and downloading it), and lost mail gets silently discarded or you have
> to manually check.  And that's the problem, where it's remotely
> installed, its not modifiable enough by me to be worth it.

Search for "greylist". That is the technique for which you are groping.

>> 2. It is impossible to run a spam filter without checking the junk
>> folder since you will lose a few files that you wanted to see. Training
>> in this regard is everything.
> 
> Yes, and no.
> 
> You can run spam systems that do the poison bait test that I outlined,
> and nothing more.  If anything posts to my bait address, it gets marked
> as spam, 100% error free.  The same message posted, separately, to my
> other accounts is identified as spam, also with 100% certainty.  Such
> tests can be done without further care.
> 
> You can also do other tests, giving them less certainty, but I found it
> not necessary.  The spam I was getting was always addressed to all of my
> contacts.  Sometimes as separate messages, sent at the same time,
> sometimes as one message addressed to a few of them.

That cuts down on random address spam. It does nothing for directly
addressed spam. So consider this technique as a variant on greylisting,
a technique to cut down on mailer load.

>> 3. Asking your spam filter to notify the spam senders is crazy. Why
>> would I want all the cialis vender's and Nigeria con men to know their
>> mail did not get through.
> 
> You're thinking about this from just one point of view.
> 
> Firstly, let's look at killing spam:  If it's spam, you don't want it,
> obviously.  If you *reject* at the input stage, it's like firewalling.
> They fail.  And it's better that they know that.  Auto spam systems can
> give up on your address, giving the world a bit less traffic to deal
> with.  Scattergun spammers, not caring about the response, aren't given
> anything more useful to them than your system silently accepting their
> spam.  They already have your address.
> 
> Secondly, let's look at not killing non-spam (ham):  You have someone
> trying to mail you who should be able to, but for some reason their
> message triggers the spam detector.  If that was your long lost brother,
> your boss telling you something important, your potential client asking
> you something or accepting your quote, etc., and it's silently rejected,
> you've lost out something important, perhaps permanently.  If you have
> to check your junk mail, personally, why bother having an anti-spam
> system in the first place?  And you might check it too late to be any
> good.  But, if your system rejects the message, with a notification,
> that sender has the chance to try resending it, differently, so that it
> gets through.  Think of making phone calls; if it's busy, the caller
> tries again; if it rings and rings, they don't know what to do; if it
> takes a message, they expect that someone will listen to it.
> 
> This is at the SMTP level.  It doesn't backfire onto some faked address,
> spamming yet another person.  If they'd connected directly to your SMTP
> server, part way through *trying* to send it'd abort and pop up a
> warning (just the same as you'll see on some systems if you try to post
> to a non-existent address).  If they'd sent through their ISP's SMTP
> server, they'd send it, and moments later their ISP mail system would
> bounce it back to them, to their mailbox, not to someone else's address
> fraudulently written in the spam's "from" field.
> 
> The notification would be of this sort:  Your message could not be
> delivered, because the anti-spam system has determined the message to be
> spam.  If this is not correct, you can try re-sending your message, but
> in a slightly different manner.  e.g. Turn off HTML, send it as plain
> text, send your message without a 20 meg file attached to it, send your
> message without an executable file attached, send your message without
> content similar to many spams (i.e. don't quote spam content to us),
> telephone us if you are having trouble, etc.
> 
> A real person will see that, and make some adjustments and try again.
> Most spammers will not see that, and not hand craft a spam for one
> person in a million.  Some spammers may look at the rejection notices
> that they get back, but those that are going to try again are still
> going to spam you with the something that triggers the spam detection,
> just about all their attempts at obfuscation are detectable.  And again,
> they're not going to do this just for you, but for all their victims,
> increasing the chances that anti-spam system updates will also catch
> them.

Tim, there is no quicker way to get on my email s**t list than polluting
my mailbox with your decision process, PARTICULARLY if it involves any
mailing list messags. A proper sendmail rejection notice would result
in a bounce from my sendmail process, which I already tend to filter
out. Even so it is annoying when I get one for spurious reasons. Of course,
for spam the concept of overloading the virus victim's inbox with crap
sounce viscerally pleasing if rather pointless. He'll never figure out
why he's getting all that nonsense about rejected emails he never sent.

Treat email as an analog to snail mail. So your mailbox overflows with
<censored>. You keep a trash bucket next to the mailbox and drop the
obvious junk as you pull it out - you abort the sendmail transaction.
Then you perform secondary filtering - bulk rate mail from unknown
address gets shredded and disposed of without opening it. (procmail
can do this.) You also check the first line or two of the doubtful
snail mails, very few by this point, and chuck the spams (spamassassin
with procmail for the chucking). Then you take it into the house.

Automated scanning is not as good as human scanning. So you have the
automation provide you with a score that can easily sort emails by the
quality of the spam assertion. You check the doubtful ones.

As it happens I load an otherwise idle firewall machine with the email
checks. And I get angry if I get one spam a week make it through, out of
around 75 to 100 spams a day (down from a much higher number for reasons
I don't understand.) That's out of about 700 to 1000 emails a day - this
list, FreeBSD, and LKML are VERY busy lists. {^_-}

>> 4. I guess being a New Yorker I have a thicker skin. I have never gotten
>> a message from a crazy that I felt would damage my equilibrium. If one
>> appears I put him in my blacklist and he disappears.
> 
> I'd simply rather not have to bother.  Though, at times, I've sent their
> replies back to the public list.  They don't usually pull that stunt
> again, on anyone.  Some even unsubscribe.
> 
> I find blacklists mostly a waste of time.  I've got to fiddle around on
> more than one client, usually, and those sorts of people will change
> addresses so they can continue to be a pain.  And there's a certain
> level of satisfaction in hitting the delete button.
> 
> 
> I will also respond to the following, despite your feeling about it
> drifting away from topic, as it's a topic that needs occasionally
> bringing up, the separation of public and private mail, in general.  It
> goes beyond the two of us, at this stage it's pertinent, and I don't
> think the thread has dragged on hideously (like some tangental posts
> do).  Not yet, at least.  ;-)

If you are dealing with more than one modest modern family your problems
are quite different from mine. You face the serious problem that what
I might consider to be ham would be spam for someone else. And some people
are kinky and like "those kind of spams". BUT - any company that has the
temerity to simply toss "dubious spam" headed my way is one I cannot use
for email. When serving a lot of people do consider greylisting. That is
an astoundingly effective technique, normally speaking. Also run only very
conservative spamassassin rule lists and block lists via spamassassin. If
you use block lists in sendmail then arrange to use several with a scoring
mechanism based on their historical goodness at your location.

{^_^}