Re: [exim] Please help me get more spam!

Top Page
Delete this message
Reply to this message
Author: Dave Pooser
Date:  
To: exim users
Subject: Re: [exim] Please help me get more spam!
> The world of mailadmins seems to be dividing on a sharp line:
>
> - Those who take a perverse delight in how much spam they can take on-board,
> scrutinize, score, tag accurately, add headers to, divert to quarantine, bask
> in
> the statistics of it all.
>
> IOW - "play with their food".


What can I say? I learned from my cats. :^)

> - Those who canot be bothered to muck about with such garbage, and simply
> block it with near-zero resource load on the grounds that an *extremely high*
> percentage of it emanates from senders that *must* try to hide for as long as
> possible, ergo do NOT comply with DNS or smtp RFC's.


The problem with a simplistic blocking scheme is always false positives.
When you deal with large numbers of small-to-tiny businesses, you're going
to have legitimate mail with bad rDNS; when you deal with large numbers of
poorly-administered Exchange servers you're going to receive legitimate mail
that's not RFC-compliant. That's why SpamAssassin has become such a success;
it lets you make a decision based on more complete information. It gets
"nuance."

Sure, I could weed out a lot of bad email by more aggressive blacklisting,
by rejecting based on RDNS and poorly formed HELOs and then manually
whitelisting exceptions as they come up. But that's hassle for my customers
and more work for me. I run a small corporate mail server; I have cycles to
burn. I'll let the computer do more work. A SpamAssassin-based reject after
DATA takes more processing power than a DNS-based reject after RCPT TO, but
as long as the message gets rejected it isn't wasting my time or my users'
time. (Unlike my previous MTA which had already accepted a message by the
time SA saw it, which led to my earlier quarantine issues and the like.)

> Lack of *any* DNS entry, or use of a known-dynamic IP *cannot* be a 'false'
> positive - only a nuisance to the occasional user who feels they *must*
> communicate with the fool - hopefully ignorant, not malicious - who is doing
> that.


The "occasional user" may be my boss; the "fool" may be a client who
generates $500k/yr in business. I'm not out to punish incompetent mail
admins, I'm out to receive ham and block spam.

> I am supremely disinterested in running SA any more than absolutely necessary,
> i.e. - on the roughly 10-12% of offered traffic that has passed all simpler
> tests and *seems to be* legitimate.


Obviously, YMMV; if I were using Exim in an ISP environment or trying to run
my mail server on a P3-800MHz with 256MB RAM I'd have a different take. But
in my environment, a huge strength of Exim is the fact that I can make the
accept/reject decision at any point in the process so I can block tons of
spam without resorting to draconian measures up front.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna