Jump to content
Sign in to follow this  
mshalperin

SpamAssassin & BL implimentation in SC webmail

Recommended Posts

The webmail site spam filtering setup instructions state the following about SpamAssassin:

SpamAssassin: SpamAssassin checks your incoming mail against a variety of rules and assigns a spam score. The higher the score, the more likely it is that this email is spam. This option is recommended, as it can help block the few spams that the SpamCop blacklist won't block.

I understand from a prior discussion here that SpamAssassin is now employed before rather than after the bl's, with the effect that the BL's now block the few spams that escape SpamAssasin.

From what I know about it, SpamAssassin can internally access various BL's, in addition to its heuristic content analysis. My question is how is it set up fot the SC webmail site? Are the non-Spamcop BL's accessed through SpamAssassin or independenly after it is applied? If SpamAssassin is using the BL's - does it indicate this besides the assigned score?

Thanks.

Share this post


Link to post
Share on other sites

ancient post, not really sure if it holds the answer to your exact query, but http://forum.spamcop.net/forums/index.php?showtopic=665 definitely is a starting point for further trudging through the old posts. (Note the 30 day limit at the bottom of the Topic list page - as explained in http://forum.spamcop.net/forums/index.php?...faq&article=10)

Share this post


Link to post
Share on other sites

My impression from both history and looking through some headers is that the SpamCop Email System's implementation of SpamAssassin does not use any blacklists or blocklists at all - it is entirely self-sufficient. Of course, this implementation makes it a little less likely to catch some spam, but at the same time more reliable in the face of DOS or other issues with blacklist and blocklist providers and their name servers.

Share this post


Link to post
Share on other sites
My impression from both history and looking through some headers is that the SpamCop Email System's implementation of SpamAssassin does not use any blacklists or blocklists at all - it is entirely self-sufficient. 

35952[/snapback]

That's my thought also, but wasn't able to find "the post" that actually said this ....

Share this post


Link to post
Share on other sites
ancient post, not really sure if it holds the answer to your exact query, but http://forum.spamcop.net/forums/index.php?showtopic=665 definitely is a starting point for further trudging through the old posts.

35951[/snapback]

Thanks. The most recent discussions related to logic rules implemented some time ago. The latest version of SA is 3.2.0 released 9/14/05 - sometime after. I don't know enough about SA to know if the logic rules are selectable now, but I do know that internal use of blocklist is optional. I'm interested is whether the internal BL's access is switced on for the SC webmail site.

Share this post


Link to post
Share on other sites
My impression from both history and looking through some headers is that the SpamCop Email System's implementation of SpamAssassin does not use any blacklists or blocklists at all - it is entirely self-sufficient. 

35952[/snapback]

Thanks. I assumed that this is how it worked, and does make it more flexible for the user to select the desired bl's independently.

Share this post


Link to post
Share on other sites

For the last 3 or more months and >5000 filtered spams, I've seen absolutely zero spam filtered the SC BL in my Held folder. SPamAssassin filters 90-95%, but the remaining are caught by the other BLs. Even during the period last month when SpamAssassin was malfunctioning and far greater percentage was filtered by the BLs none was caught by the SpamCop BL. Has there been a change in the implementation of the SC BL in the SC webmail service? At this point, it would make no difference at all if I disabled the SC BL, leaving the others functioning.

Share this post


Link to post
Share on other sites

For the last 3 or more months and >5000 filtered spams, I've seen absolutely zero spam filtered the SC BL in my Held folder. SPamAssassin filters 90-95%, but the remaining are caught by the other BLs. Even during the period last month when SpamAssassin was malfunctioning and far greater percentage was filtered by the BLs none was caught by the SpamCop BL. Has there been a change in the implementation of the SC BL in the SC webmail service? At this point, it would make no difference at all if I disabled the SC BL, leaving the others functioning.

SpamCop blocklist a while ago was not functioning the same-time spamassassin was not checking

http://forum.spamcop.net/forums/index.php?...ost&p=52946

SpamAssassin aside from a Bayesian score SpamAssasin also adds a count from other blocklists with the SCBL adding a score of 1.5

JT keeps changing rules on how our email is processed? I have put cn,br in my blacklist, I often get "br on blacklist" without further scanning it is sent to my spam folder ready for VER to send an abuse report (I also have Brazil and China selected on a Country Block)

Many people I know (Oceania) use mailwasher and set-up the SCBL and find it the best thing since sliced bread. SpamCop's blocklist blocks an IP as it is sending spam, not after spam is sent, releasing an IP when spam is not being sent.

Also if one does not at least quick report spam from their VER it may result/allow spammer to keep attacking you. I find spammers are checking on which IP's are blocked before spewing spam. This is where SpamCop Blocklist cuts in (Blocking as spam is being sent). Other blocklists are very slow in releasing IP's in the case of zombie computers ISP's are also slow in shutting them down (as simple as blocking port 25)

Share this post


Link to post
Share on other sites
For the last 3 or more months and >5000 filtered spams, I've seen absolutely zero spam filtered the SC BL in my Held folder.

Then you'd better take another look at your SC email settings, because I get stuff in my Held that's put there due to "X-SpamCop-Disposition: Blocked bl.spamcop.net" almost every day. Far fewer than from SA analysis, but they still show up. If you're not seeing any at all, that doesn't sound right.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
Then you'd better take another look at your SC email settings, because I get stuff in my Held that's put their due to "X-SpamCop-Disposition: Blocked bl.spamcop.net" almost every day. Far fewer than from SA analysis, but they still show up. If you're not seeing any at all, that doesn't sound right.

It could also be your specific spam profile. I currently get only about 2 or 3 blocked by bl.spamcop.net per week, but do get them.

Share this post


Link to post
Share on other sites
It could also be your specific spam profile. I currently get only about 2 or 3 blocked by bl.spamcop.net per week, but do get them.

Maybe that's it. I have all available BLs activated (reset all of them to be sure) and SpamAssassin threshold set to 2. i used to get at least some filtered by SCBL... Recently I've been getting more with geocities as the spamvertized site sent from probable bots, which often makes to to the inbox and is never filtered by any BL. Most of it is drug, phony loan, penny stock, Nigerian, porn, etc., with spamvertized sites form China, Korea Pacific Rim, Russia, Brazil, etc. spewed from botnets.

Share this post


Link to post
Share on other sites
For the last 3 or more months and >5000 filtered spams, I've seen absolutely zero spam filtered the SC BL in my Held folder. SPamAssassin filters 90-95%, but the remaining are caught by the other BLs.

As I understand it, the SpamAssassin check is the first one performed. So if an Email fails that check it is moved to the held folder. I suspect that if you stopped using SpamAssassin then you would see mail blocked by the SCBL as well as other blocklists.

Andrew

Share this post


Link to post
Share on other sites
I suspect that if you stopped using SpamAssassin then you would see mail blocked by the SCBL as well as other blocklists.

Or simply raise your SA score threshhold a bit, as a test. A level of 2 is pretty aggressive, and so no wonder that the system hasn't bothered to check most of your spam against the SCBL. I used to have mine set at the default level of 5, in order to avoid false positives, but lowered it to 4 last year as spam increased.

I'm not discounting the possibility that the SCBL has become less effective overall, due to the extremely wide distribution of zombies, bot-nets, and the like, and perhaps also due to the demographics and practices of the people reporting spam.

DT

Share this post


Link to post
Share on other sites
As I understand it, the SpamAssassin check is the first one performed. So if an Email fails that check it is moved to the held folder. I suspect that if you stopped using SpamAssassin then you would see mail blocked by the SCBL as well as other blocklists.

Maybe, but last month when SpamAssassin was broken on some servers, I still didn't see anything picked off by the SCBL. A lot more were caught by various other BLs, but not SCBL. I don't know in what order they are applied - possibly the SCBL is last. All I can say is at that time I got large amounts of spam in my inbox and what did get held wasn't by the SCBL.

Share this post


Link to post
Share on other sites
All I can say is at that time I got large amounts of spam in my inbox and what did get held wasn't by the SCBL.

...and yet in the check I just did of the "overnight" spam in my Held mail, 14 were put there due to SA, 4 were put there due to SCBL hits, and then 1 each for the following BLs:

cn.countries.nerd.dk

korea.services.net

cbl.abuseat.org

Therefore, my experience is quite different than yours. My spam exposure is pretty diverse, in that I've had addresses at multiple domains exposed in many different ways and for many years. IOW, my profile shouldn't be very unique in terms of my spam exposure. I can't explain your results. In order to minimize the exposure and eventual leakage into one's inbox, I do recommend extreme diligence in not letting any addresses be posted in "bot readable" format out on the web. I was able to Google several for you....a "cqmail" address and also a RoadRunner address.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

In order to minimize the exposure and eventual leakage into one's inbox, I do recommend extreme diligence in not letting any addresses be posted in "bot readable" format out on the web. I was able to Google several for you....a "cqmail" address and also a RoadRunner address.

DT

I'm not sure what you mean by "posting in bot readable format". The addresses you found were only given to ( apparently) legitimate businesses, forums, etc,, that I deal with and always given as confidential. For the last 6 months I have submitted SpamCop reports un-munged without any dramatic change in spam volume or sources. I have other addresses that I've kept private which haven't been spammed so far. My spam volume is still manageable, so I've left the "public" addresses active partly as my personal spam traps.

Edited by mshalperin

Share this post


Link to post
Share on other sites

I meant having an actual email address displayed on a web page that's accessible to search engines and other less-friendly spiders. If you *want* them to be harvested and therefore receive more spam, that's fine. My intention was to point out that several addresses appear on websites where spam harvesting could occur, although I don't think any were in a "mailto" link, which makes harvesting much more likely. Most of the spam that my wife receives is attributable to an amateur high school class "alumni page" where they've got her address linked in a "mailto." There are ways to addresses from spam harvesting, such as encoding, or the use of java scri_pt, so I don't allow any of my addresses to be published on web pages in an unprotected format.

DT

Share this post


Link to post
Share on other sites

Maybe, but last month when SpamAssassin was broken on some servers, I still didn't see anything picked off by the SCBL. A lot more were caught by various other BLs, but not SCBL. I don't know in what order they are applied - possibly the SCBL is last. All I can say is at that time I got large amounts of spam in my inbox and what did get held wasn't by the SCBL.

At same time SpamAssassin was playing up SpamCop was not adding to SCBL

The SCBL was also taking spamvertised IP's off the SCBL as abusive IP's were not being seen as continuing to spam (I seem to remember a reboot of system corrected this)

It seems that since this SpamCop technicians have also fixed a glitch making reporting much faster now?

If you have your SpamAssassin score set to two it would mean that any IP on our SCBL will add 1.3-1.5 to that score straight away (SpamAssassin adds scores from a number of blocklists ) as well as Bayesian score. JT may also add his own rules? Spammers are trying to confuse SpamAssasin by adding gibberish to text in spam sent

Share this post


Link to post
Share on other sites
I meant having an actual email address displayed on a web page that's accessible to search engines and DT

OK, I see what you mean. I've never posted my email addresses (in any format) in any public forum. If my addresses are in the "public domain", they were either stolen or sold from supposedly private listings. I always refuse permission to distribute them to "affiliated" 3rd parties. Anytime I publicly post a reference email address (not mine) on a public site, I write it with "<at>" instead of "[at]" to avoid automated harvesting.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×