Author: Marc Perkel Date: To: Exim users list Subject: Re: [exim] Anti SPAM Exim configuration
Alan J. Flavell wrote:
>On Tue, 14 Dec 2004, Marc Perkel wrote:
>
>
>
>>I manage to filter nearly 100% of spam.
>>
>>
>
>And what rate of false positives?
>
> Almost none
I have different grades of spam. I deliver low grade spam to server side
IMAP folders. Thus the user still gets their false positives. I also
have feedback folders for the bayesian filter and personal white lists
and black lists.
>
>
>>Sender Callback Verification
>>
>>
>
>Selectively, I hope. "Verifying" a local part with MTAs that say
>"fine" to any old rubbish, just isn't worth the overhead. And some
>otherwise-bona-fide MTAs won't co-operate, either.
>
> Its my best filter. As long as they respond to mail from:<> or are
listed in rfc-ignorant.org. If I get a complaint - I list them in
rfc-ignorant
>
>
>>Spamhaus Blacklist
>>
>>
>
>False positives are pretty-much guaranteed, if you don't confirm
>that with other resources.
>
>What I would add, though, is that we've had rather good results from
>rejecting if the offering MTA is not only in one of the technical
>blacklists, such as DSBL and one or two others, and is thus known to
>be capable of being expoited, but is also blacklisted in Spamcop, i.e
>has been observed actually relaying spam. That catches quite a few
>which oozed past the more-conservative blacklists on which we reject
>outright. And the cross-correlation avoids the false positives that
>one gets by rejecting on a spamcop entry etc. alone.
>
>
> spamhaus has been good to me. No complaints.
>>No IP address in HELO
>>
>>
>
>You'd better not do that to your outbound clients though - Macs seem
>to have rediscovered this option, that we thought had practically died
>out.
>
>
> I'm not getting any complains about this.
>>No pretending they are one of my domains in HELO
>>
>>
>
>That's a "kill on sight", for sure.
>
> Yep - and it catches a LOT of spam.
>
>
>>I nuke all viruses
>>
>>
>
>I take it you mean "all known viruses". Unfortunately we still get an
>irritating amount of shrapnel from virus attacks, with insufficient
>virus signature to actually recognise it. TimJ has a useful resource
>for that kind of stuff, for which we can all be grateful...
>
>
> Right - all known ZIP viruses.
>>and windows executable attachments.
>>
>>
>
>If -only- we could be sure which attachments Windoze in its wisdom is
>going to deem to be executable, in one or other of its multifarious
>ways. RFC2616 at least shows how to do it right for HTTP, and in
>effect mandates rejecting any object whose content proves to
>incompatible with its MIME type. So MS go and trample all over that
>mandate, and the results are, well, "as we see them".
>
> I nuke all windows executables period. The risk of virus exposure
outweighs the rest. It protects used from new viruses.
>
>
>>Then - I use Spam Assassin for the rest of it. But - the ACLs get
>>rid of more spam that Spam Assassin does.
>>
>>
>
>Same here. Only a relatively small proportion of spams get as far as
>being spamassassin-rated. Because they got rejected by one of the
>earlier, low-fat, rules.
>
>all the best
>
>
>
>