Re: spam, spam, the magical fruit!

On Fri, Mar 19, 2004 at 12:46:08AM -0900, Scott Johnson wrote:
> This is just getting crazy. I used to get upwards of 100 spams a day.
> I installed a "spam filter" box in between the Internet and my internal
> qmail box. I went with a Postfix/Amavisd-new/SpamAssassin/ClamAV
> solution, which was working great - cut my 100 per day down to a much
> more manageable 5 or so. The spam filter box doesn't keep any mail
> locally - it just receives, scrubs the messages, and forwards them on.
> This was 4 months ago. Since then, my spam has been slowing creeping
> upwards, and in the past 2 weeks, has ballooned back up to 80 spams PER
> DAY! Searching Google I get a lot of debate about how spammers are
> constructing their messages to get around SA's rule-based filters. So,
> my question - what's better than SA at the moment? Anyone have any
> suggestions other than the US Postal Service? My SA rules are current,
> and my threshold is set pretty low (tagged at 2.0 hits, deleted at
> 4.0). I stay on top of /. pretty frequently and last week they had a
> story about "DSPAM" [ http://www.nuclearelephant.com/projects/dspam/ ]
> which seems pretty interesting, however from my limited Linux/Postfix
> experience seems hard to install/configure. I REALLY like the rest of
> my Postfix/Amavisd-new/ClamAV setup - ClamAV is AWESOME. It
> auto-updates and does an EXCELLENT job at stopping all the latest
> worms, hours after they start spreading en mass. Ideas? I'm getting
> depressed at all this freaking junk.......

Mine got out of control as well. Using blacklists has helped greatly.
For my Exim 4.30-6 setup, I use these DNS black lists:

         dnslists = list.dsbl.org:\
                    relays.ordb.org:\
                    sbl-xbl.spamhaus.org:\
                    bl.spamcop.net

Also, I reject these blocks at SMTP time with my acl's:

69.6.0.0/18
200.0.0.0/8
81.199.0.0/16
69.6.64.0/20
24.232.0.0/16
212.183.224.0/19

I check my logs everyday and have not blocked anything important.
Some CNET newsletters are in the spamcop.net database.

And I also do this in the DATA phase of the smtp transaction:
deny message = $found_extension files are not accepted here
      demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url:zip

Now I don't get any junk. Kind of boring now. Heh.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 22 17:20:05 2004