Jump to content

Why does SpamCop release so much spam to me?


Recommended Posts

spamcop.net,Mar 31 2005, 05:37 AM]2 days ago, I changed my spam Assassin threshold from 2 to 1.  Since then, I have had no spam forwarded from SpamCop to my Inbox.

Glad it's working for you, but lest anyone who stumbles upon this topic in the future consider something so drastic as to reduce your SpamAssassin threshhold much past the default of 5, here are some quick statistics from my own Inbox, which I contend are *much* more typical that what's being reported here:

I currently have 765 messages in my Inbox. Of those, 505 were actually received through my SpamCop email account (and thus subjected to blacklist checks and SpamAssassin). Out of those 505, 79 items had a SpamAssassin "hits" value of over 1, and very few were from duplicate senders. Out of the 79, only 9 were represented by entries (including wildcards) on my current whitelist. That means that if I reduced my threshhold to 1, I would have had to put all the rest of those senders on my whitelist, in order to make sure that their messages got through.

In fact, even having a theshhold of 2, 3, or 4 would have also resulted in some false positives on this sample collection of mail, which doesn't even represent the thousands of items that I've deleted from that Inbox over the period of time that it spans. Here's a table of the ones that would have wound up in Held Mail if my SA value was only 1:

Hits=1.* - 42

Hits=2.* - 24

Hits=3.* - 7

Hits=4.* - 6

So it appears to me that the OP's situation probably represents someone who doesn't communicate with a very large or diverse collection of email sources. I would strongly caution anyone who expects to communicate with a very diverse sender base to keep your SpamAssassin setting at the default, or you'll risk having a lot of incoming messages trapped falsely. YMMV.

DT

Link to comment
Share on other sites

  • 4 weeks later...

I have been getting a lot of spam that is getting through the SPAMCOP filters also. i report them but that takes time which is why I got SPAMCOP in the first place. Anyone have any ideas on how to better the filter so I don't receive so much junk?

Thanks... tjp :(

Link to comment
Share on other sites

I have been getting a lot of spam that is getting through the SPAMCOP filters also.  i report them but that takes time which is why I got SPAMCOP in the first place.  Anyone have any ideas on how to better the filter so I don't receive so much junk?

27109[/snapback]

You really need to do this with trial and error and it all depends on the type of messages received and your pain level if legitimate messages are held.

I can tell you how mine is setup. I receive messages from a few different lists and my friends. I only receive valid email from people I don't know through request in this group. I have spam assassin set to 5 and have all of the DNS Blacklists selected. I also have a whitelist with 8 pages (x 15 addresses per page) of domains (mostly) or addresses that have been caught at one time or another. The whitelist took me about 4-6 weeks to generate the bulk of it and I can't remember the last entry I added. At this point, I could probably set the block all and have a comprehensive whitelist in about a month, but I like to have a few slip through to report fully (including websites) so I can keep track of how the reporting is working. All Held Mail gets quick reported, usually within an hour of receipt.

Link to comment
Share on other sites

Dang, sounds like a FAQ entry type of answer here with these last responses ...

Now noting that there are already a number of links there dealing with Whitelists, blacklists, filtering ... Maybe it's time to sort them out and actually re-write yet another 'complete' (?) FAQ entry?

Link to comment
Share on other sites

On the "why do so many get though" question, I note that if one spam from a source not yet in any BL get though, so will an identical or near identical spam.

This pushes up the 'False Negative' rate.

Example, 8 near identical emails of the "Regional Bank" type with a SpamAssassin level=2.8 from he same source to the same email address arrived last week in a 1 hour time slot.

Link to comment
Share on other sites

The typical spin on that is that you must picture spamboy/girl kicking off the day with yet another spam spew run. Once that run is in progress, then it's time to fire up another system or two, play with the spam load/e-mail, running it against his/her own copy of SpamAssassin, SpamPal, whatever .. shooting it to his/her HotMail, Yahoo, AOL account and see what gets through. During this interval, spam recipients are receiving that last version, most deleting, some merrily clicking away, a few reporting, perhaps enough of the latter to get the spewing IP onto the SCBL which then blocks/manages the remainder of that spew run for some folks (which then also reduces the reporting) .... Once that 'perfect' e-mail is constructed that the filters don't stop, off it goes into the next spam spew run. Once that one is in progress, start the next construction and test away.

Link to comment
Share on other sites

  • 2 weeks later...
Please note that the whitelist is processed right-to-left, with a wildcard assumed at the left end.

26132[/snapback]

Presumably, so is the blacklist.
Link to comment
Share on other sites

  • 7 months later...

Hi all

just in curiousity what program are you using for whitelisting or blacklisting

I use firetrust mailwasher and so far its the best I have ever seen or used

I just mark what I think is spam or what spamcop has already shown me that are in RED...

then it all does its job when I press process email...

mailwasher with spamcop works GREAT

thanks SpamCop you are the best (cant say much for them spammers)

Link to comment
Share on other sites

just in curiousity what program are you using for whitelisting or blacklisting

38666[/snapback]

You are posting in a Forum section devoted to users of a SpamCop Filtered E-Mail Account ... filters, BLx, etc. available are found as a FAQ item here.

Link to comment
Share on other sites

{the SpamCop email whitelist is checked right to left so giving a wildcard effect}

I'm not sure that is true. ISTR trying Blacklist  'bank.com' which didn't appear to work.

38705[/snapback]

Were you trying to blacklist x[at]bank.com or x[at]somebank.com? As I understand it, Spamcop uses the . and [at] as terminators for searching. In other words bank.com will NOT catch nationsbank.com. Also, from the blacklist entry page:

Mail from users whose email addresses match your blacklist will be blocked without checking any DNS blacklists. The email address checked is the envelope sender which is identified in the headers of the email as the Return-Path. This might be different from the From: address shown in the email.

And from the whitelist entry page: Enter a domain or an entire email address on each line. Incoming email addresses are checked against the whitelist starting from the right and working toward the left. That is, if you enter spamcop.net, it will match any email address with spamcop.net at the right, including foo[at]spamcop.net or foo[at]bar.spamcop.net.

Entering matches starting from the left will not work. For instance, entering foo into your whitelist will not match foo[at]spamcop.net or foo[at]bar.net.

Link to comment
Share on other sites

Right, Steven hit it on the head.

You have to black list the whole domain like [at]1stbank.com or [at]USBANK.com The wildcard is for all email addresses from that specific domain, not a wildcard for domain names.

You can use the filters in SCMail for that.

Link to comment
Share on other sites

  • 1 year later...
Right, Steven hit it on the head.

You have to blacklist the whole domain like [at]1stbank.com or [at]USBANK.com The wildcard is for all email addresses from that specific domain, not a wildcard for domain names. [...]

But blacklist ru and blacklist br work fine so it's the "." deliminator I suppose.

Would Blacklist paypal.com stop investigation[at]security.paypay.com ?

Link to comment
Share on other sites

Would Blacklist paypal.com stop investigation[at]security.paypay.com ?

No as you typed it (paypay), but yes as I expect you intended it (paypal). You could blacklist paypal.com and whitelist either investigation[at]security.paypay.com or security.paypay.com. Please note you should NOT start a whitelist or blacklist with the [at] sign.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...