Spam detection

[pierre]

We have a costly anti-spam enterprise software which runs on its own server and is placed in front of the mail servers.

It filters quite everything that is not related to our industry. It filters well web hosting, loans and all regular spam.

It filters well "viagra" but not very well v1agra or the same kind of junk.

It routes too short emails or emails with just a link to an admin who decides if the email goes through or not. It also routes SBL (not sure of spelling) listed addresses.

Unfortunately they add dumb hidden text to trick the system. So more junk is delivered everyday.

According to my techies, it increases by 5% every week which they consider low.

I feel that we upgrade the protection and they come new stuff so the new protection is obsolete and more junk is coming in.

My big concern is that we detect more and more junk with scripts. That's scary as these scripts can be worms or other Trojan stuff. Today we detect and destroy 100% of those, what about tomorrow? When your servers carry customers' data as we do, you seriously worry.

Any ideas? Any advices?

Pierre

[turetzsr]

...AIUI, if you use content-based filtering (which is what you seem to be describing), you are doomed to failure (as you appear to be discovering). The solution seems to be IP-based filtering, by something like using the SpamCop blocklist.

[petzl]

suggest you at least try a SpamCop email account to see how its really done

This is the best and most accurate cost effective filtering system on the planet. The big plus is that once spam is "very easily reported" (VER) it is added to SpamCops blocklist, effectively stopping spam while being sent and not after

click the link

SpamCop Email

[Wazoo]

There was another posting a few months back from someone else in the same boat, spending lots of money on a hardware solution that wasn't panning out. I just can't come up with the "right" search words o find that discussion.

You have to remember that some of these spam folks spend a lot of time working on getting around filters, blocks, and such. And just as in the virus/trojan/exploit world, most of the "updates" and such are reactive .. that is, not available until the "stuff" is out there, reported, captured, analyzed, tweaked, and the "patch/update" written up and then made available for distribution (and while all that is going on, the spammer is already working on the next "tweak")

And, then next level is that the spammer doesn't seem to care just how bad the spam looks these days, just as long as it gets through ... whereas your hardware/software fitering box folks have to work on not blocking too much ... whole different target and perspective on the handling of any and all incoming e-mail.

[pierre]

Our filtering box works on both IP and wording filtering. We will give a try to the spamcop email solution.

Wazoo is right there is no perfect solution. As soon as you implement a solution, they already have a counter attack spamming system.

It seems (correct me if I'm wrong) that pro-spammers change IP for each blast they make. When the used IP becomes blocked and they switch to another one.

To understand more, we purchased a list from www.email-lists.biz (found on google)

We purchased for $14.95 something like 2.5 millions emails + plus all the spammer kit for free... (Bulk email sender, extractor, unsubscriber & list manager) + free proxies. We tried the daily proxies (100 of them) 20% only were blocked... (for sensible people, the list was not downloaded)

We could get a 15 million USA Package for $44.95 and 140 million worldwide for $99.99!!!

Is that crazy, I wouldn't beleive it until I saw that... I understand why we get so much spam and our system can't keep up.

Even google offers lists of proxies even 19 for free! Google directory

I think it's an impossible task...

[turetzsr]

<snip>

I think it's an impossible task...

20472[/snapback]

...If your task is to have a 100% spam-free environment, then you are correct. If your task is to save time and money by stopping a good proportion of the spam from getting through, it is eminently worthwhile! <g>

[petzl]

It seems (correct me if I'm wrong) that pro-spammers change IP for each blast they make. When the used IP becomes blocked and they switch to another one.

Spammers send for hours posting spam on a single run. SpamCop BlockList has them often blocked within seconds making their spam run/efforts futile and simply bit binned

For me out of a 1000 plus spams hitting my SpamCop email folder occasionally one may get to my inbox So far I have had no false positives

Although I have reported a friend by mistake It was not held by SpamCop just changed his name to "bear" which from email experience usually involves males in lewd acts This had his Bear site taken down and he was not amused (so if in doubt do not report) :angry:

Not sure if this advice is still current but you used have 14 days to see if SpamCop email is your cup of tea or not.

The fact is that SpamCop email is administered by "JT" who is very awake to spammers antics and effective at keeping well ahead of their antics. SpamCop email servers are second to none and probably faster than the email servers you now use (of course all viruses are deleted with latest Virus definition filters as well)

The point is you are not just relying on gadgets for spam control but best advisers on spam control this planet has