On Thu, May 25, 2006 at 08:26:04AM -0400, Marc Sherman said:
> Walt Reed wrote:
> > #If you are using a freemail address, it's got to come from freemail servers
> >
> > defer ! hosts = /etc/exim4/whitelist
> > message = Forged Yahoo mail.
> > log_message = Forged Yahoo mail.
> > senders = *@yahoo.com
> > condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
>
> Defer seems dangerous for that, to me. It seems to be a test with a high
> false-positive rate -- I know a lot of people who use free email
> addresses for personal mail, but have MUAs set up to send mail from that
> address through their work or isp SMTP servers. By defering those
> messages, the sender won't find out about the problem for (usually) 5
> days, and your server will keep getting hit by retries.
Acutally, that rule was in testing and should have been converted to a
drop or deny (I just forgot.) I frequently test rules with defer before
converting them to a drop so I can fix issues that may arise without
losing mail.
As for the other issue of people using freemail but other MTA's, well,
that's the breaks. Yahoo and hotmail are forged SO OFTEN that makes
sense to have this restriction. If you send from outside of yahoo's
servers, the domain keys signature is going to be missing as well. It
would be valid to also use spamassassin to score very high any yahoo
mail that is missing a DK signature. My example is one way of handling
it. There are many others which may be better. I would welcome any
alternatives that would result in a lower FP and still be effective.
> > deny message = This message looks like spam - see http://mydomain.com/block/
> > log_message = Big spam score $spam_score - $spam_report
> > spam = nobody:true
> > condition = ${if >{$spam_score_int}{80}{1}{0}}
>
> 8.0 is pretty aggressive for blocking, especially if you're using SARE
> rules (which I've found tends to inflate scores). I'm denying at 12.0,
> and quarantining between 4.0 and 12.0.
Yeah, I'm not using SARE. I agree it is pretty aggressive, but works
well in my situation with my rule set.
Please note that I posted my rules as an example, and they work for MY
situation and may not work for others. I'm ALWAYS interested in seeing
other peoples rule sets to learn from them, even if I don't implement
them.
Cheers!
