Why does SpamCop release so much spam to me?, How to improve SpamCops "catch" rate? Options

[DavidT]

spamcop.net,Mar 29 2005, 01:57 PM]Heck, yesterday, the spammers even managed to get 66 identical emails through without SA complaining.

That sounds like fallout from using a catchall address. If you seach these forums a bit, I think you'll find multiple accounts from those of us who have gone through the process of de-activation of catchall functions. However, if you're dead set on keeping the catchall, you'll certainly have to take more drastic steps, such as the extremely low SA threshhold.

DT

[shull2805@spamcop.net]

That sounds like fallout from using a catchall address. If you seach these forums a bit, I think you'll find multiple accounts from those of us who have gone through the process of de-activation of catchall functions. However, if you're dead set on keeping the catchall, you'll certainly have to take more drastic steps, such as the extremely low SA threshhold.

DT

Wait a minute! You seem to imply that it's OK for SpamCop to pass spam on to my Inbox because I have a catch-all account. You have indicated that you are willing to tolerate a low number of false negatives. I would be as happy as you are if I had the same number of false negatives that you do. On a percentage basis, we probably still get approximately the same number of false negatives. But I get orders of magnitude more spam than you do, so the absolute number of false negatives hitting my Inbox is much higher than what you get. I acknowledge the fact that using a catch-all is the main reason that I get more spam than you. That's not the point.

My point is that regardless of whether I use a catch-all, or even if I openly post my email address(es) everywhere for spammers to harvest them, SpamCop is not doing a thorough job of filtering out the spam. By only looking at the headers, it's ignoring a vital weapon in the war against spam.

I willingly acknowledge that SpamCop does a very good job of catching incoming spam; it's taken header-only analysis to the state-of-the-art level. Maybe a 95% catch rate is as good as it can get for programs that only analyze email headers. But, I'm getting close to 3000 emails a day. How happy would YOU be if you had 150 spams in your Inbox each day?

The spam reaching my Inbox has innocuous headers (or they wouldn't get past SpamCop). This spam has a little bit of random text, one or two URLs, and maybe an embedded .gif file. Unless SpamCop starts looking at these URLs, we might as well pack up and head home- the spammers are gonna win this one.

I already have Baysian software running on my email client that does a better job than SpamCop at figuring out whether incoming mail is spam or not. When I get the crap that passes through SpamCop, my email client redirects it to my junk mail folder. (In case you're asking, "If he's already got software that he says does a better job than SpamCop, why is he using SpamCop?", the answer is simple. I don't want to download 3000 spam emails. I don't want to download 150, either. )

Am I being unreasonable in asking why SpamCop can't do a better job of figuring out what is spam and what isn't?

[StevenUnderwood]

Am I being unreasonable in asking why SpamCop can't do a better job of figuring out what is spam and what isn't?

Perhaps. I get anywhere between 1-3% false negative (a couple a day, about 30 real emails, and a couple hundred spam every day). If you are receiving 3000 messages every day, your numbers are about right. There is no perfect system. You could help greatly by limiting the numbers of messages being sent to the account for filtering (i.e. turning off the catchall and only configuring the addresses you have actually used.

[DavidT]

spamcop.net,Mar 29 2005, 08:25 PM]You seem to imply that it's OK for SpamCop to pass spam on to my Inbox because I have a catch-all account.

I didn't mean to. Ideally, SpamCop could be improved to the point where your needs would also be met. However, I do think that having a catch-all these days is asking for trouble.

By only looking at the headers, it's ignoring a vital weapon in the war against spam.

Wait a moment...IIUC, SpamAssassin *is* looking at the body of the messages. For example, here's a sample result from a message that got through to my mailbox:

X-Spam-Status: hits=3.3 tests=EXCUSE_3,FORGED_RCVD_HELO,HTML_60_70,
HTML_IMAGE_ONLY_24,HTML_MESSAGE,HTML_TITLE_EMPTY,HTML_WEB_BUGS,
MIME_BOUND_NEXTPART,URIBL_OB_SURBL version=3.0.0

Many of those codes have to do with the body, not the headers. BTW, this is a message I wanted to receive, but I don't want to bother whitelisting this sender, so my setting of 5 is appropriate for me.

Sometime last year, we had a long discussion regarding the implementation of more Bayesian methods in SpamCop's SA implementation, but now I don't remember what ever happened. I think that JT was reluctant, but when he did an upgrade to SA 3.0, I think that some sort of Bayes stuff started being applied by default...but I might be wrong.

DT

[shull2805@spamcop.net]

Here is a follow-up in case anyone is interested. 2 days ago, I changed my Spam Assassin threshold from 2 to 1. Since then, I have had no spam forwarded from SpamCop to my Inbox. I gave away a new email address to an online vendor and they sent me a confirmation which was not held by SpamCop (I didn't want it to be held); it ended up in my Inbox. 1 email (a Microsoft newsletter) was held by SpamCop; I whitelisted and released it.

I'm very happy with the current status quo. I can continue to use my catch-all account, I don't have to waste time reporting spam, whitelisting false positives isn't a big deal, and everybody who spams me gets reported. Best of all, when I go on the road and retrieve my email via my cell phone, I'm not paying by the minute to download spam.

FWIW, I have 15 addresses on my whitelist. I see that a couple of them can be eliminated if I use wildcards in the address field.

[Jeff G.]

Please note that the whitelist is processed right-to-left, with a wildcard assumed at the left end.

[DavidT]

spamcop.net,Mar 31 2005, 05:37 AM]2 days ago, I changed my Spam Assassin threshold from 2 to 1.  Since then, I have had no spam forwarded from SpamCop to my Inbox.

Glad it's working for you, but lest anyone who stumbles upon this topic in the future consider something so drastic as to reduce your SpamAssassin threshhold much past the default of 5, here are some quick statistics from my own Inbox, which I contend are *much* more typical that what's being reported here:

I currently have 765 messages in my Inbox. Of those, 505 were actually received through my SpamCop email account (and thus subjected to blacklist checks and SpamAssassin). Out of those 505, 79 items had a SpamAssassin "hits" value of over 1, and very few were from duplicate senders. Out of the 79, only 9 were represented by entries (including wildcards) on my current whitelist. That means that if I reduced my threshhold to 1, I would have had to put all the rest of those senders on my whitelist, in order to make sure that their messages got through.

In fact, even having a theshhold of 2, 3, or 4 would have also resulted in some false positives on this sample collection of mail, which doesn't even represent the thousands of items that I've deleted from that Inbox over the period of time that it spans. Here's a table of the ones that would have wound up in Held Mail if my SA value was only 1:

Hits=1.* - 42
Hits=2.* - 24
Hits=3.* - 7
Hits=4.* - 6

So it appears to me that the OP's situation probably represents someone who doesn't communicate with a very large or diverse collection of email sources. I would strongly caution anyone who expects to communicate with a very diverse sender base to keep your SpamAssassin setting at the default, or you'll risk having a lot of incoming messages trapped falsely. YMMV.

DT

This post has been edited by DavidT: Mar 31 2005, 09:54 AM

[TJP]

I have been getting a lot of SPAM that is getting through the SPAMCOP filters also. i report them but that takes time which is why I got SPAMCOP in the first place. Anyone have any ideas on how to better the filter so I don't receive so much junk?

Thanks... tjp (IMG:style_emoticons/default/sad.gif)

[StevenUnderwood]

I have been getting a lot of SPAM that is getting through the SPAMCOP filters also.  i report them but that takes time which is why I got SPAMCOP in the first place.  Anyone have any ideas on how to better the filter so I don't receive so much junk?

You really need to do this with trial and error and it all depends on the type of messages received and your pain level if legitimate messages are held.

I can tell you how mine is setup. I receive messages from a few different lists and my friends. I only receive valid email from people I don't know through request in this group. I have spam assassin set to 5 and have all of the DNS Blacklists selected. I also have a whitelist with 8 pages (x 15 addresses per page) of domains (mostly) or addresses that have been caught at one time or another. The whitelist took me about 4-6 weeks to generate the bulk of it and I can't remember the last entry I added. At this point, I could probably set the block all and have a comprehensive whitelist in about a month, but I like to have a few slip through to report fully (including websites) so I can keep track of how the reporting is working. All Held Mail gets quick reported, usually within an hour of receipt.

[Wazoo]

Dang, sounds like a FAQ entry type of answer here with these last responses ...

Now noting that there are already a number of links there dealing with Whitelists, blacklists, filtering ... Maybe it's time to sort them out and actually re-write yet another 'complete' (?) FAQ entry?

[michaelanglo]

On the "why do so many get though" question, I note that if one spam from a source not yet in any BL get though, so will an identical or near identical spam.

This pushes up the 'False Negative' rate.

Example, 8 near identical emails of the "Regional Bank" type with a SpamAssassin level=2.8 from he same source to the same email address arrived last week in a 1 hour time slot.

[Wazoo]

The typical spin on that is that you must picture spamboy/girl kicking off the day with yet another spam spew run. Once that run is in progress, then it's time to fire up another system or two, play with the spam load/e-mail, running it against his/her own copy of SpamAssassin, SpamPal, whatever .. shooting it to his/her HotMail, Yahoo, AOL account and see what gets through. During this interval, spam recipients are receiving that last version, most deleting, some merrily clicking away, a few reporting, perhaps enough of the latter to get the spewing IP onto the SCBL which then blocks/manages the remainder of that spew run for some folks (which then also reduces the reporting) .... Once that 'perfect' e-mail is constructed that the filters don't stop, off it goes into the next spam spew run. Once that one is in progress, start the next construction and test away.

[turetzsr]

...Wow, Software Development Life Cycle principles for spam. Gotta love it! (IMG:style_emoticons/default/smile.gif) <g>

[Jank1887]

unfortunately, it pays for them to do a thorough job.

[Jeff G.]

Please note that the whitelist is processed right-to-left, with a wildcard assumed at the left end.

Presumably, so is the blacklist.

[icemanx]

Hi all

just in curiousity what program are you using for whitelisting or blacklisting

I use firetrust mailwasher and so far its the best I have ever seen or used

I just mark what I think is spam or what spamcop has already shown me that are in RED...

then it all does its job when I press process email...

mailwasher with spamcop works GREAT

thanks SpamCop you are the best (cant say much for them spammers)

[Wazoo]

just in curiousity what program are you using for whitelisting or blacklisting

You are posting in a Forum section devoted to users of a SpamCop Filtered E-Mail Account ... filters, BLx, etc. available are found as a FAQ item here.

[michaelanglo]

{the SpamCop email whitelist is checked right to left so giving a wildcard effect}

Presumably, so is the blacklist.

I'm not sure that is true. ISTR trying Blacklist 'bank.com' which didn't appear to work.

[StevenUnderwood]

{the SpamCop email whitelist is checked right to left so giving a wildcard effect}
I'm not sure that is true. ISTR trying Blacklist  'bank.com' which didn't appear to work.

Were you trying to blacklist x[at]bank.com or x[at]somebank.com? As I understand it, Spamcop uses the . and @ as terminators for searching. In other words bank.com will NOT catch nationsbank.com. Also, from the blacklist entry page:
Mail from users whose email addresses match your blacklist will be blocked without checking any DNS blacklists. The email address checked is the envelope sender which is identified in the headers of the email as the Return-Path. This might be different from the From: address shown in the email.

And from the whitelist entry page: Enter a domain or an entire email address on each line. Incoming email addresses are checked against the whitelist starting from the right and working toward the left. That is, if you enter spamcop.net, it will match any email address with spamcop.net at the right, including foo[at]spamcop.net or foo[at]bar.spamcop.net.

Entering matches starting from the left will not work. For instance, entering foo into your whitelist will not match foo[at]spamcop.net or foo[at]bar.net.

[btech]

Right, Steven hit it on the head.

You have to black list the whole domain like @1stbank.com or @USBANK.com The wildcard is for all email addresses from that specific domain, not a wildcard for domain names.

You can use the filters in SCMail for that.