Jump to content
Sign in to follow this  
shull2805@spamcop.net

Why does SpamCop release so much spam to me?

Recommended Posts

Please note that the whitelist is processed right-to-left, with a wildcard assumed at the left end.

Share this post


Link to post
Share on other sites
spamcop.net,Mar 31 2005, 05:37 AM]2 days ago, I changed my spam Assassin threshold from 2 to 1.  Since then, I have had no spam forwarded from SpamCop to my Inbox.

Glad it's working for you, but lest anyone who stumbles upon this topic in the future consider something so drastic as to reduce your SpamAssassin threshhold much past the default of 5, here are some quick statistics from my own Inbox, which I contend are *much* more typical that what's being reported here:

I currently have 765 messages in my Inbox. Of those, 505 were actually received through my SpamCop email account (and thus subjected to blacklist checks and SpamAssassin). Out of those 505, 79 items had a SpamAssassin "hits" value of over 1, and very few were from duplicate senders. Out of the 79, only 9 were represented by entries (including wildcards) on my current whitelist. That means that if I reduced my threshhold to 1, I would have had to put all the rest of those senders on my whitelist, in order to make sure that their messages got through.

In fact, even having a theshhold of 2, 3, or 4 would have also resulted in some false positives on this sample collection of mail, which doesn't even represent the thousands of items that I've deleted from that Inbox over the period of time that it spans. Here's a table of the ones that would have wound up in Held Mail if my SA value was only 1:

Hits=1.* - 42

Hits=2.* - 24

Hits=3.* - 7

Hits=4.* - 6

So it appears to me that the OP's situation probably represents someone who doesn't communicate with a very large or diverse collection of email sources. I would strongly caution anyone who expects to communicate with a very diverse sender base to keep your SpamAssassin setting at the default, or you'll risk having a lot of incoming messages trapped falsely. YMMV.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

I have been getting a lot of spam that is getting through the SPAMCOP filters also. i report them but that takes time which is why I got SPAMCOP in the first place. Anyone have any ideas on how to better the filter so I don't receive so much junk?

Thanks... tjp :(

Share this post


Link to post
Share on other sites
I have been getting a lot of spam that is getting through the SPAMCOP filters also.  i report them but that takes time which is why I got SPAMCOP in the first place.  Anyone have any ideas on how to better the filter so I don't receive so much junk?

27109[/snapback]

You really need to do this with trial and error and it all depends on the type of messages received and your pain level if legitimate messages are held.

I can tell you how mine is setup. I receive messages from a few different lists and my friends. I only receive valid email from people I don't know through request in this group. I have spam assassin set to 5 and have all of the DNS Blacklists selected. I also have a whitelist with 8 pages (x 15 addresses per page) of domains (mostly) or addresses that have been caught at one time or another. The whitelist took me about 4-6 weeks to generate the bulk of it and I can't remember the last entry I added. At this point, I could probably set the block all and have a comprehensive whitelist in about a month, but I like to have a few slip through to report fully (including websites) so I can keep track of how the reporting is working. All Held Mail gets quick reported, usually within an hour of receipt.

Share this post


Link to post
Share on other sites

Dang, sounds like a FAQ entry type of answer here with these last responses ...

Now noting that there are already a number of links there dealing with Whitelists, blacklists, filtering ... Maybe it's time to sort them out and actually re-write yet another 'complete' (?) FAQ entry?

Share this post


Link to post
Share on other sites

On the "why do so many get though" question, I note that if one spam from a source not yet in any BL get though, so will an identical or near identical spam.

This pushes up the 'False Negative' rate.

Example, 8 near identical emails of the "Regional Bank" type with a SpamAssassin level=2.8 from he same source to the same email address arrived last week in a 1 hour time slot.

Share this post


Link to post
Share on other sites

The typical spin on that is that you must picture spamboy/girl kicking off the day with yet another spam spew run. Once that run is in progress, then it's time to fire up another system or two, play with the spam load/e-mail, running it against his/her own copy of SpamAssassin, SpamPal, whatever .. shooting it to his/her HotMail, Yahoo, AOL account and see what gets through. During this interval, spam recipients are receiving that last version, most deleting, some merrily clicking away, a few reporting, perhaps enough of the latter to get the spewing IP onto the SCBL which then blocks/manages the remainder of that spew run for some folks (which then also reduces the reporting) .... Once that 'perfect' e-mail is constructed that the filters don't stop, off it goes into the next spam spew run. Once that one is in progress, start the next construction and test away.

Share this post


Link to post
Share on other sites

...Wow, Software Development Life Cycle principles for spam. Gotta love it! :) <g>

Share this post


Link to post
Share on other sites
Please note that the whitelist is processed right-to-left, with a wildcard assumed at the left end.

26132[/snapback]

Presumably, so is the blacklist.

Share this post


Link to post
Share on other sites

Hi all

just in curiousity what program are you using for whitelisting or blacklisting

I use firetrust mailwasher and so far its the best I have ever seen or used

I just mark what I think is spam or what spamcop has already shown me that are in RED...

then it all does its job when I press process email...

mailwasher with spamcop works GREAT

thanks SpamCop you are the best (cant say much for them spammers)

Share this post


Link to post
Share on other sites
just in curiousity what program are you using for whitelisting or blacklisting

38666[/snapback]

You are posting in a Forum section devoted to users of a SpamCop Filtered E-Mail Account ... filters, BLx, etc. available are found as a FAQ item here.

Share this post


Link to post
Share on other sites

{the SpamCop email whitelist is checked right to left so giving a wildcard effect}

Presumably, so is the blacklist.

27889[/snapback]

I'm not sure that is true. ISTR trying Blacklist 'bank.com' which didn't appear to work.

Share this post


Link to post
Share on other sites
{the SpamCop email whitelist is checked right to left so giving a wildcard effect}

I'm not sure that is true. ISTR trying Blacklist  'bank.com' which didn't appear to work.

38705[/snapback]

Were you trying to blacklist x[at]bank.com or x[at]somebank.com? As I understand it, Spamcop uses the . and [at] as terminators for searching. In other words bank.com will NOT catch nationsbank.com. Also, from the blacklist entry page:

Mail from users whose email addresses match your blacklist will be blocked without checking any DNS blacklists. The email address checked is the envelope sender which is identified in the headers of the email as the Return-Path. This might be different from the From: address shown in the email.

And from the whitelist entry page: Enter a domain or an entire email address on each line. Incoming email addresses are checked against the whitelist starting from the right and working toward the left. That is, if you enter spamcop.net, it will match any email address with spamcop.net at the right, including foo[at]spamcop.net or foo[at]bar.spamcop.net.

Entering matches starting from the left will not work. For instance, entering foo into your whitelist will not match foo[at]spamcop.net or foo[at]bar.net.

Share this post


Link to post
Share on other sites

Right, Steven hit it on the head.

You have to black list the whole domain like [at]1stbank.com or [at]USBANK.com The wildcard is for all email addresses from that specific domain, not a wildcard for domain names.

You can use the filters in SCMail for that.

Share this post


Link to post
Share on other sites
Right, Steven hit it on the head.

You have to blacklist the whole domain like [at]1stbank.com or [at]USBANK.com The wildcard is for all email addresses from that specific domain, not a wildcard for domain names. [...]

But blacklist ru and blacklist br work fine so it's the "." deliminator I suppose.

Would Blacklist paypal.com stop investigation[at]security.paypay.com ?

Share this post


Link to post
Share on other sites
Would Blacklist paypal.com stop investigation[at]security.paypay.com ?

No as you typed it (paypay), but yes as I expect you intended it (paypal). You could blacklist paypal.com and whitelist either investigation[at]security.paypay.com or security.paypay.com. Please note you should NOT start a whitelist or blacklist with the [at] sign.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×