Re: [exim] Anti SPAM Exim configuration

Pàgina inicial
Delete this message
Reply to this message
Autor: Marc Perkel
Data:  
A: Exim users list
Assumpte: Re: [exim] Anti SPAM Exim configuration


Alan J. Flavell wrote:

>On Tue, 14 Dec 2004, Marc Perkel wrote:
>
>
>
>>I manage to filter nearly 100% of spam.
>>
>>
>
>And what rate of false positives?
>
>

Almost none

I have different grades of spam. I deliver low grade spam to server side
IMAP folders. Thus the user still gets their false positives. I also
have feedback folders for the bayesian filter and personal white lists
and black lists.

>
>
>>Sender Callback Verification
>>
>>
>
>Selectively, I hope. "Verifying" a local part with MTAs that say
>"fine" to any old rubbish, just isn't worth the overhead. And some
>otherwise-bona-fide MTAs won't co-operate, either.
>
>

Its my best filter. As long as they respond to mail from:<> or are
listed in rfc-ignorant.org. If I get a complaint - I list them in
rfc-ignorant

>
>
>>Spamhaus Blacklist
>>
>>
>
>False positives are pretty-much guaranteed, if you don't confirm
>that with other resources.
>
>What I would add, though, is that we've had rather good results from
>rejecting if the offering MTA is not only in one of the technical
>blacklists, such as DSBL and one or two others, and is thus known to
>be capable of being expoited, but is also blacklisted in Spamcop, i.e
>has been observed actually relaying spam. That catches quite a few
>which oozed past the more-conservative blacklists on which we reject
>outright. And the cross-correlation avoids the false positives that
>one gets by rejecting on a spamcop entry etc. alone.
>
>
>

spamhaus has been good to me. No complaints.

>>No IP address in HELO
>>
>>
>
>You'd better not do that to your outbound clients though - Macs seem
>to have rediscovered this option, that we thought had practically died
>out.
>
>
>

I'm not getting any complains about this.

>>No pretending they are one of my domains in HELO
>>
>>
>
>That's a "kill on sight", for sure.
>
>

Yep - and it catches a LOT of spam.

>
>
>>I nuke all viruses
>>
>>
>
>I take it you mean "all known viruses". Unfortunately we still get an
>irritating amount of shrapnel from virus attacks, with insufficient
>virus signature to actually recognise it. TimJ has a useful resource
>for that kind of stuff, for which we can all be grateful...
>
>
>

Right - all known ZIP viruses.

>>and windows executable attachments.
>>
>>
>
>If -only- we could be sure which attachments Windoze in its wisdom is
>going to deem to be executable, in one or other of its multifarious
>ways. RFC2616 at least shows how to do it right for HTTP, and in
>effect mandates rejecting any object whose content proves to
>incompatible with its MIME type. So MS go and trample all over that
>mandate, and the results are, well, "as we see them".
>
>

I nuke all windows executables period. The risk of virus exposure
outweighs the rest. It protects used from new viruses.

>
>
>>Then - I use Spam Assassin for the rest of it. But - the ACLs get
>>rid of more spam that Spam Assassin does.
>>
>>
>
>Same here. Only a relatively small proportion of spams get as far as
>being spamassassin-rated. Because they got rejected by one of the
>earlier, low-fat, rules.
>
>all the best
>
>
>
>