Jump to content

jboure

Members
  • Content Count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jboure

  • Rank
    Newbie
  1. jboure

    drastic decline in mail blocked

    I'm not using the e-mail account product, I'm using the blacklist itself. My second line of defense after the spamcopbl is spamassassin (as sold by Sophos), which is using a slew of BLs and works well. My question is: is anyone else seeing the same dropoff in effectiveness of just the BL, and if not, any thoughts on what I could be doing wrong? I'm rsyncing the data down and loading it into named (after re-writing it). It's been working very well for years. It just started getting less and less effective over the last few weeks. Thanks to everyone for their posts, James.
  2. jboure

    drastic decline in mail blocked

    Hmmm, that's a bummer. Spamcop has always been the best list out there in my experience. I've used most of them. I still use most of them as part of Sophos' Puremessage SpamAssassin implementation. Spamcop has always been my first line of defense, as it's the only list I've ever trusted not to do crazy stuff. I get an astoundingly low number of false positives from it. That's why it's the only list I've trusted to outright reject mail for my end users. Up until a month ago, it was rejecting 500,000 emails a day, and I was getting less than one complaint a month. It's a huge cost savings to me to reject mail rather than quarantine it. The amount of spam getting to my end users has not increased, thanks to Sophos. My real worry is that the amount of mail getting past spamcop has gone way up, and is really stressing my Sophos implementation. So I'm not looking for advice on other ways to catch spam, I'm mostly curious why my spamcop BL has lost effectiveness so drastically.
  3. jboure

    drastic decline in mail blocked

    That is for sure possible (that I have screwed something up). I have a smokeping DNS probe running against the zone, and it goes off infrequently. I'm using a local (to the mail server) copy of the smapcopbl zone running in named. It seems to be responding pretty well. I'm rsyincing the zone every 5 minutes. The scri_pt that downloads it, rewrites it BIND-style, verifies it w/ named-checkzone, and then loads it. This is pretty painless, as the zone itself is relatively ( to other blacklists ) small. I'm not sure how to check if postfix is giving up on the name service. I doubt that is the culprit, because he can still do recursive reverse lookups using the name server that is auth for the spamcopbl.
  4. jboure

    drastic decline in mail blocked

    Sorry for responding to my own post, buy I just noticed that you weren't using the BL. Sorry about that.
  5. jboure

    drastic decline in mail blocked

    That's good to know. Got any stats? That would be tricky. The layer after the Spamcop BL is Sophos Puremessage. The spam gets stored in a quarantine, the guts of which I am unfamiliar with. I guess I could analyze the IPs of all inbound mail and sort it by country or something, but I'm pretty sure I would not get away with just dumping non-ARIN email, for instance. Any other ideas? I've got millions of spams to sort through. Sophos is doing a good job quarantining what spamcop is missing, but the added load is putting a strain on it. I'm not rejecting mail with any other blacklist. My end user community has a low tolerance for false positives, and over the years I've only gotten a small handful of complaints when using spamcopbl. It might be okay to try out a DUL. If anyone knows of a good free one that would let me rsync, that could be helpful.
  6. jboure

    drastic decline in mail blocked

    I'm not sure I have a way of doing that. We get around 700k spam per day. I understand. I don't know if you saw the link to the graph I posted, but the decline has been pretty linear, pretty recent, and pretty drastic. I wonder if others are seeing the same thing?
  7. I subscribe to the blocking list for my company, which gets just under a million (attempted) emails inbound from the internet per day. About 95% of it is spam. Historically, the spamcopbl has blocked about half (or more) of it. Over the last month I've seen a steady decline in the amount of email that spamcop is catching. I've graphed the last two weeks worth here (don't worry, it's not evil): http://www.nansi.org/wtf.gif I've spoken to a couple other mail admins at other sites and heard similar complaints. Is there anything to what I'm seeing? Are others having the same experience? I'm comfortable with the fact that maybe I screwed something up, but I'm pretty sure I haven't. Any ideas? Thanks, James.
×