Regex question

[Rick Cooper]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Craig Daters
> Sent: Tuesday, June 28, 2005 8:41 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Regex question
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jun 28, 2005, at 4:59 AM, Rick Cooper wrote:
>
> >> -----Original Message-----
> >> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >> Behalf Of Craig Daters
> >> Sent: Monday, June 27, 2005 5:16 PM
> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> Subject: Re: Regex question
> >>
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> I am using a dynamic IP block list with SpamAssassin, but the baysian
> >> probability on these messages are so low that a negative score is
> >> being
> >> attached. When the score for the dynamic list is applied, it is below
> >> my threshold still, so I am trying to intercept these messages before
> >> they make it MailScanner. Or maybe I can Isolate these specifically
> >> and
> >> up the score for these specifically for anything that matches these
> >> expressions?
> >
> > Look at the rules that are already getting hits and increase the
> > score, for
> > instance if they are hitting  RCVD_IN_NJABL_DUL and/or
> > RCVD_IN_SORBS_DUL
> >
> > add something like this to your spamassasin.prefs.conf (or local.cf)
> > file
> >
> > score	RCVD_IN_NJABL_DUL 20.0
> > score RCVD_IN_SORBS_DUL 20.0
> >
> > or place the following in your local.cf (Custom rule)
> >
> > header 	VERIZON_DU Received =~ /pool.*?\.verizon\.net/i
> > describe    VERIZON_DU HEADER: Verizon Dialup Pool
> > score		VERIZON_DU 20.0
> >
> > Of course I make the assumption that a score of 20.0 hits high enough
> > to
> > prevent delivery, adjust as required.
> >
> > You should also look at how you are feeding your baysian database. You
> > should have some facility to unlearn and re-learn these messages if
> > they are
> > scoring so low.
>
> I am using MailWatch for MailScanner so learning and unlearning of
> messages is not a problem. I have been feeding all of these to the
> Baysian database to bring their scores up to an acceptable level, and I
> will certainly add a rule as well for SpamAssassin. I would prefer to
> stop these at the MTA level entirely and save to CPU power this would
> otherwise generate, but this is a start.
>
> Thank you everyone for your help and input.
>

MTA is where all of my RBL checking takes place. You don't say what the MTA
is but I would think about any can accommodate RBL checks these days. I
personally believe in doing as many checks at SMTP time is best. Basic
checks I do are:


Helo checks : helo with my hostname, ip literal or a host name from my
domain - drop and firewall
		  helo with bare IP - drop
		  helo without a FQDN - drop

Rcpt to checks: Invalid user drop (of course)
                non-authenticated local user outside the network - drop
                fails sender callout verification - drop
		    in one of several RBLs (although I don't check DUL) - drop

Data checks:   basic bad mime type (.com|.exe|.pif|.bat) - drop
               Virus - drop and firewall (exim/exiscan BD, ClamAV, f-prot)
               Spam score above 15 - drop
               SPF fails - drop

There are, of course, more dealing with relaying and so forth but for the
most part I have relatively few things that we definatly do not want, pass
through to MS to deal with, and I haven't generated a bounce in so long I
couldn't tell you the last time. Drop the stuff you *know* shouldn't arrive
and let MS handle filename, type, archives, bad content, the marginal spam,
etc.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!