Re: [exim] Anti SPAM Exim configuration

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [exim] Anti SPAM Exim configuration
On Tue, 14 Dec 2004, Marc Perkel wrote:

> I manage to filter nearly 100% of spam.


And what rate of false positives?

> Sender Callback Verification


Selectively, I hope. "Verifying" a local part with MTAs that say
"fine" to any old rubbish, just isn't worth the overhead. And some
otherwise-bona-fide MTAs won't co-operate, either.

> Spamhaus Blacklist


False positives are pretty-much guaranteed, if you don't confirm
that with other resources.

What I would add, though, is that we've had rather good results from
rejecting if the offering MTA is not only in one of the technical
blacklists, such as DSBL and one or two others, and is thus known to
be capable of being expoited, but is also blacklisted in Spamcop, i.e
has been observed actually relaying spam. That catches quite a few
which oozed past the more-conservative blacklists on which we reject
outright. And the cross-correlation avoids the false positives that
one gets by rejecting on a spamcop entry etc. alone.

> No IP address in HELO


You'd better not do that to your outbound clients though - Macs seem
to have rediscovered this option, that we thought had practically died
out.

> No pretending they are one of my domains in HELO


That's a "kill on sight", for sure.

> I nuke all viruses


I take it you mean "all known viruses". Unfortunately we still get an
irritating amount of shrapnel from virus attacks, with insufficient
virus signature to actually recognise it. TimJ has a useful resource
for that kind of stuff, for which we can all be grateful...

> and windows executable attachments.


If -only- we could be sure which attachments Windoze in its wisdom is
going to deem to be executable, in one or other of its multifarious
ways. RFC2616 at least shows how to do it right for HTTP, and in
effect mandates rejecting any object whose content proves to
incompatible with its MIME type. So MS go and trample all over that
mandate, and the results are, well, "as we see them".

> Then - I use Spam Assassin for the rest of it. But - the ACLs get
> rid of more spam that Spam Assassin does.


Same here. Only a relatively small proportion of spams get as far as
being spamassassin-rated. Because they got rejected by one of the
earlier, low-fat, rules.

all the best