Feature Requests
John Rudd
jrudd at UCSC.EDU
Fri Aug 1 18:03:52 IST 2003
On Friday, Aug 1, 2003, at 08:22 US/Pacific, Jan-Peter Koopmann wrote:
>> 1) new action type: Ham Actions or Not Spam Actions
>>
>> [snip]
>
> You can do this already with the "Convert HTML To Text" option.
You can do that one exact action with that option. You can't do all of
the "Actions" options.
>> 2) perhaps also a "Low Ham Actions" or "Low Not Spam Actions"
>> and "Low Ham Score"/"Low Not Spam Score"
>> [snip]
> What good would that do? Just curious.
What good is the High Spam category? It gives you more ranges of
options, as the example I gave indicates.
>> 3) "Actions Log File" and action "log"
>>
>> [snip]
>
> Have you had a look at Mailwatch for MailScanner? It will put this kind
> of information in a MySQL database.
I don't want nor use SQL for this. I want (and via procmail's logs,
already use) log files.
>> auto-* will submit the message to sa-learn so that its
>> addresses will be added to the auto-whitelist with either a -100 score
>> (auto-whitelisting) or +100 score (auto-blacklisting)
>
> Why not use the auto-thresholds in SpamAssassin itself?
They don't set the scores to -100 and/or +100. They average in the
score of the current message. Forcing the sender of a message to a
+100 doesn't just ratchet up their score by a little bit, it sets it
high enough that they'll probably never come back down unless I take
direct action. It's almost, but not exactly, like having an automatic
way to set and manage the non-automatic whitelist/blacklist facilities
in Spam Assassin (it's not exactly the same, but it's close enough that
it works).
>> Then I might process the action log nightly/weekly/monthly to
>> see if there's a common sender or relay that is sending me
>> the most spam, and create an entry in my sendmail access db
>> if they exceed a certain threshold.
>
> This would be the first time in months that spam is coming through a
> common sender or relay. Common sender is close to impossible. Only some
> viruses (big at boss.com) are dumb enough to do this. And common relay
> would most automatically mean that this relay is an open relay and it
> will probably be put into the RBL lists. So why bother?
Why bother? Because, IME, you're completely wrong. Most of the spam I
get does tend to come from common senders. Monthly would probably be
too long, I'll give you that, but daily and weekly patterns do tend to
hold up fairly well. For example, lately I've been getting a ton of
spam from buy.com, coming straight from buy.com. Adding them to my
access db cut out a good chunk of spam traffic for my site.
Also, I don't tend to use DNSBLs. They're slow, I have yet to find one
whose accuracy wasn't more of a liability than a feature, and I prefer
to keep those sorts of controls local instead of remote.
More information about the MailScanner
mailing list