andrewRump Posted October 22, 2007 Share Posted October 22, 2007 More and more spam is getting through! :angry: In SpamCop webmail I have set the SpamAssasin limit to 2 (setting it to 1 only cathes legit mail) and all DNS blacklists has been selected and still more and more spam mail is getting through! Well I do receive more and more spam so it is not because SpamCop is loosing the battle but the bars have to be raised? What can I do? Link to comment Share on other sites More sharing options...
DavidT Posted October 22, 2007 Share Posted October 22, 2007 Are the messages being sent directly to your SpamCop address, or are they being either POPed from, or forwarded from another address or addresses? You can cut down on spam that's sent directly to your SC address by enabling the new Greylisting feature: http://forum.spamcop.net/forums/index.php?showtopic=8650 However, it won't help for mail that's being sent to other addresses and then accessed in your SC account. If you own a domain, are you perhaps using a "catch-all" (or "default") email address that receives mail to any address a spammer might dream up? If so, you should disable that and you'll see a dramatic decrease in your spam level. The other solution would be to add some additional filtering, either at an ISP, or at your computer. Depending upon the email software you are using, there are utilities that can filter mail as you're downloading it. I've never used any of those, but if things got bad enough, I'd consider it. Another choice would be to petition the SC Email system owner to add to the blacklists offered in the account settings. For example, one that slipped by SpamCop into my inbox this morning came from via a relay in Spamhaus PBL (zen.spamhaus.org). I think that a lot of my false negatives would have been caught if the Zen blacklist were added as an option. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 22, 2007 Share Posted October 22, 2007 What can I do? Have you investigated the headers to see why the messages are getting thrrough? For some information, see the FAQ: Messages not Filtered - Why? Link to comment Share on other sites More sharing options...
jongrose Posted October 22, 2007 Share Posted October 22, 2007 Yeah, I highly recommend the greylisting feature. I've had it on for about 3 days now and it's working great. I went from having 20+ spams an hour to having maybe 1-2. Read through the thread David linked to, and the Wikipedia article which gives a very good simple overview of how it works. Link to comment Share on other sites More sharing options...
michaelanglo Posted October 22, 2007 Share Posted October 22, 2007 More and more spam is getting through! :angry: In SpamCop webmail I have set the SpamAssasin limit to 2 (setting it to 1 only cathes legit mail) and all DNS blacklists has been selected [...] Please can we have some numbers ? My own :- 2684 spams (89/d), 59 leakers (=2.2 %), 0 false positive for September (reduction was due to greylisting) 4369 spams, (140/d) 80 leakers (=1.8 %), 0 false positive(s) August SA = 3.0 (just gone to 2.0) with bankofamerica.com and such in personal blacklist. Does spam get though because of low SA or because of a whitelist item ? Link to comment Share on other sites More sharing options...
petzl Posted October 22, 2007 Share Posted October 22, 2007 More and more spam is getting through! :angry: In SpamCop webmail I have set the SpamAssasin limit to 2 (setting it to 1 only cathes legit mail) and all DNS blacklists has been selected and still more and more spam mail is getting through! Well I do receive more and more spam so it is not because SpamCop is loosing the battle but the bars have to be raised? What can I do? Tried turning greylisting on (your whitelist overides Greylisting) Link to comment Share on other sites More sharing options...
andrewRump Posted October 23, 2007 Author Share Posted October 23, 2007 Are the messages being sent directly to your SpamCop address, or are they being either POPed from, or forwarded from another address or addresses? You can cut down on spam that's sent directly to your SC address by enabling the new Greylisting feature: I would love to use the greylisting but the e-mails are forwarded through SpamCop from my private domain to Gmail!!! However, it won't help for mail that's being sent to other addresses and then accessed in your SC account. If you own a domain, are you perhaps using a "catch-all" (or "default") email address that receives mail to any address a spammer might dream up? If so, you should disable that and you'll see a dramatic decrease in your spam level. I was forced to disable the catch-all several years ago - after receiving several thousand spam e-mails every day! The other solution would be to add some additional filtering, either at an ISP, or at your computer. Depending upon the email software you are using, there are utilities that can filter mail as you're downloading it. I've never used any of those, but if things got bad enough, I'd consider it. Well I don't want to introduce yet another server into the chain! :-) It is complicated enough already! Another choice would be to petition the SC Email system owner to add to the blacklists offered in the account settings. For example, one that slipped by SpamCop into my inbox this morning came from via a relay in Spamhaus PBL (zen.spamhaus.org). I think that a lot of my false negatives would have been caught if the Zen blacklist were added as an option. That is what I am hoping for. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 23, 2007 Share Posted October 23, 2007 That is what I am hoping for.Have you emailed support[at]spamcop.net with this specific request? Have you started a thread (should this be moved) to the New Features forum? The New Features forum has not usually been the quickest way, but it documents the request and allows others to comment on how widely the change is wanted/needed (sets priority). I would ask for a Moderator (I have stepped down from that position) to move this to the New Features and then reference the thread in the email request. Link to comment Share on other sites More sharing options...
DavidT Posted October 23, 2007 Share Posted October 23, 2007 I would ask for a Moderator (I have stepped down from that position) to move this to the New Features ......into the "black hole" of the forums, then.... ;-) DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 24, 2007 Share Posted October 24, 2007 ...into the "black hole" of the forums, then.... ;-) DT: Just about ANY request (no matter where located) has been like it went to a black hole. It has not mattered where on the forum it is located. Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 It has not mattered where on the forum it is located. I disagree. While *most* requests seem to fall on deaf ears, I've seen some action in other forums, especially in the SC Email forum, but YMMV. I hope my other thread gets to stay in the Email forum. However, I do note that Trevor responded to two of the posts in "New Feature Requests" back in August, so maybe there's hope. JT's most recent post in this forum was Jan 20 2005. DT Link to comment Share on other sites More sharing options...
Wazoo Posted October 24, 2007 Share Posted October 24, 2007 However, I do note that Trevor responded to two of the posts in "New Feature Requests" back in August, so maybe there's hope. JT's most recent post in this forum was Jan 20 2005. Trevor, being 'new' in here, was apparently not 'warned' about getting involved in 'this' forum section. Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 Wazoo...you should probably use some smileys once in a while so people don't think you're serious! Looks like we're about to see a few more topics marked "Resolved" in here....see this post in the SC Email forum from Trevor: http://forum.spamcop.net/forums/index.php?...ost&p=60529 DT Link to comment Share on other sites More sharing options...
andrewRump Posted October 24, 2007 Author Share Posted October 24, 2007 Have you emailed support[at]spamcop.net with this specific request? Well no because I do not know what is required to get better spam protection. I am asking you and is hoping that SpamCop will be enhanced with whatever is needed to raise the level of protection. Link to comment Share on other sites More sharing options...
andrewRump Posted October 24, 2007 Author Share Posted October 24, 2007 Have you investigated the headers to see why the messages are getting thrrough? For some information, see the FAQ: Messages not Filtered - Why? Sure. The messages that get throught usually get a SA score of zero but are easy (for me) to detect because they are often in Russian (or similar language). Here are a few examples: http://www.spamcop.net/sc?id=z1493510951z5...1f3ca435187f6az http://www.spamcop.net/sc?id=z1493510953z3...95d0e06bdb87c5z http://www.spamcop.net/sc?id=z1493510954z6...fbc2fcb13f020dz Tried turning greylisting on (your whitelist overides Greylisting) Unfortunately that is not an option because I forward my mails through SpamCop. Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 Andrew, You might want to check your blacklist settings again...the sending IP of that first sample is currently listed on multiple BLs, including the XBL: http://www.robtex.com/rbl/74.61.49.208.html I don't have time to check the details of when it was listed and compare that to when you received the message, but I'm just pointing out that this particular message would currently get caught by the available blacklist filters. DT Link to comment Share on other sites More sharing options...
andrewRump Posted October 24, 2007 Author Share Posted October 24, 2007 Please can we have some numbers ? My own :- 2684 spams (89/d), 59 leakers (=2.2 %), 0 false positive for September (reduction was due to greylisting) 4369 spams, (140/d) 80 leakers (=1.8 %), 0 false positive(s) August SA = 3.0 (just gone to 2.0) with bankofamerica.com and such in personal blacklist. SA = 1! And I receive between 1000 and 2000 spam mails every day and about 20 spam mails get through. So our procentage are about the same - but the spammers are just getting better and better. Does spam get though because of low SA or because of a whitelist item ? SA is as low as possible! 0! Zero! Nil! Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 The first and third samples came from the same IP address, which was listed on the CBL 3 and 1/2 hours ago, so it's possible that you received them just before the IP was added to the CBL/XBL. The middle sample is currently on SORBS. Sorry if you already told us this, but have you analyzed the items that wind up in your Held mail, checking the "X-SpamCop-Disposition:" lines to see if your BL filter settings are actually working? Most of my Held mail gets there due to SpamAssassin scores, but some of the items get put there due to BL hits. For example, out of the 49 items I just found in my Held folder, 44 were there due to my SA threshhold, 4 were there due to hits on the SCBL and one due to "Blocked cn.countries.nerd.dk." I'm assuming that the other BL filters are currently functional, but I'll be checking my Held mail to see if that's the case. I might even do something silly like turning off SA on my account to see if the other BLs kick in. DT Link to comment Share on other sites More sharing options...
andrewRump Posted October 24, 2007 Author Share Posted October 24, 2007 Well no because I do not know what is required to get better spam protection. I am asking you and is hoping that SpamCop will be enhanced with whatever is needed to raise the level of protection. Well I have one question to JT! Are SA tweaked or when was the filters last updated? I would love the SA level to be raised by a factor 10 so I may be able to make use of the SA level! Now having it set to 1 just makes it a flag instead of a adjustable fence! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 24, 2007 Share Posted October 24, 2007 Well I have one question to JT! Are SA tweaked or when was the filters last updated? I would love the SA level to be raised by a factor 10 so I may be able to make use of the SA level! Now having it set to 1 just makes it a flag instead of a adjustable fence! While admittedly, I have little spam hitting my accounts and my "spam footprint" seems to be different than many here, I currently have SA set to 5 and have received 2 false positives in the last week (89 total spam). The 2 that got through had SA ratings of 4.7 (just missed) and 1.5. The 1.5 was an AIDS Walkathon invitation which went to my yahoo address which is primarily used for testing and never used for personal contact (like the message was indicating). Link to comment Share on other sites More sharing options...
DavidT Posted October 24, 2007 Share Posted October 24, 2007 ...and have received 2 false positives in the last week (89 total spam). The 2 that got through... I'm thinking those should be referred to as "false negatives," then. A "false positive" is generally something that a filter thinks is really spam, but isn't. DT Link to comment Share on other sites More sharing options...
Wazoo Posted October 24, 2007 Share Posted October 24, 2007 Wazoo...you should probably use some smileys once in a while so people don't think you're serious! I created this section so as to consolidate these suggestions / requests. The intent was that they'd all be found here, rather than buried in the middle of a newsgroup thread, a Forum discussion, etc. Discussions with various folks got me answers such as; "I don't need to look in there. If it's a good idea, I'll hear about it." "I don't want to look in there, as repeatedly telling users 'no way' wouldn't be productive." and of course, "I don't have the time" I believe my sense of humor (actually, the lack of one) has been mentioned a time or two in various places. Looks like we're about to see a few more topics marked "Resolved" in here....see this post in the SC Email forum from Trevor: That would be nice, to say the least. However, suspecting that it's going to have to be one of the Moderators to do the matching up of solutions and requests to add the [Resolved] tag when and if ..... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 25, 2007 Share Posted October 25, 2007 I'm thinking those should be referred to as "false negatives," then. A "false positive" is generally something that a filter thinks is really spam, but isn't.Correct. Link to comment Share on other sites More sharing options...
andrewRump Posted October 25, 2007 Author Share Posted October 25, 2007 The first and third samples came from the same IP address, which was listed on the CBL 3 and 1/2 hours ago, so it's possible that you received them just before the IP was added to the CBL/XBL. The middle sample is currently on SORBS. Sorry if you already told us this, but have you analyzed the items that wind up in your Held mail, checking the "X-SpamCop-Disposition:" lines to see if your BL filter settings are actually working? Most of my Held mail gets there due to SpamAssassin scores, but some of the items get put there due to BL hits. For example, out of the 49 items I just found in my Held folder, 44 were there due to my SA threshhold, 4 were there due to hits on the SCBL and one due to "Blocked cn.countries.nerd.dk." I'm assuming that the other BL filters are currently functional, but I'll be checking my Held mail to see if that's the case. I might even do something silly like turning off SA on my account to see if the other BLs kick in. I am fairly confident that SpamCop works as expected. I have selected all (of the following) DNS Blacklists: DNS Blacklist DNS Zone Website SpamCop Blacklist bl.spamcop.net www.spamcop.net/bl.shtml DSBL open relays list.dsbl.org dsbl.org Spamhaus Blacklist sbl.spamhaus.org www.spamhaus.org/sbl/ South Korea (the country) korea.services.net korea.services.net China (the country) cn.countries.nerd.dk countries.nerd.dk/more.html Nigeria nigeria.blackholes.us www.blackholes.us Argentina argentina.blackholes.us www.blackholes.us Brazil brazil.blackholes.us www.blackholes.us Composite Blocking List cbl.abuseat.org cbl.abuseat.org Spamhaus XBL xbl.spamhaus.org www.spamhaus.org/xbl/ And going to report held spam (http://mailsc.spamcop.net/reportheld?action=heldlog) show all kind of reasons to why the e-mails where caught by SpamCop [NOTE: Please be warned. Some subjects are not appropriate for minors]: [1123243] nugvacanszep[at]vacans.com (Dear Customer Feel Good Now! Preview ) Wed, 24 Oct 2007 20:09:00 +0100 (Blocked bl.spamcop.net) [1123244] ikjzmjlsnc[at]mts-nn.ru (=?koi8-r?B?K+Hm6fvhK8vPzsPF0tTZIMkg28/VICj+OTUpIDIy+i05Mi36Nw==?= Preview ) Wed, 24 Oct 2007 23:15:09 +0300 (Blocked SpamAssassin=7) [1123245] setiathome[at]rump.dk (October 78% OFF Preview ) Wed, 24 Oct 2007 21:17:21 +0200 (CEST) (Blocked SpamAssassin=5) [1123246] andi[at]dmatrans.com (Turn your penis from a peasant to a Nobel. Preview ) Wed, 24 Oct 2007 17:51:34 +0000 (Blocked SpamAssassin=19) ... A lot Blocked SpamAssassin ... [1123277] oyj[at]brainfingers.com (Pakistan Interior Minister Sherpao says no foreigners will be brought into inquiry Preview ) Wed, 24 Oct 2007 14:53:37 -0600 (Blocked cbl.abuseat.org) [1123278] smeqeg[at]easyrentacar.com (Bright side Preview ) Sun, 20 Jan 2002 04:19:09 -0100 (Blocked SpamAssassin=15) [1123279] phrrc[at]bankofky.com (Get the right stuff Preview ) Wed, 24 Oct 2007 16:47:46 -0500 (Blocked SpamAssassin=13) [1123280] "dona hammer" (RE:Why You Should Personalize Your Diet Preview ) Wed, 24 Oct 2007 22:58:23 +0200 (Blocked SpamAssassin=20) [1123281] aloysius[at]ohiohills.com ( Preview ) Wed, 24 Oct 2007 19:11:08 +0000 (Blocked SpamAssassin=4) [1123282] andrewrump[at]spamcop.net (October 70% OFF Preview ) (Blocked SpamAssassin=17) [1123283] ttogmbnqfeop[at]bpshopfitting.com.au (Chinese agency cracked down on polluters in September Preview ) Wed, 24 Oct 2007 17:57:49 -0300 (Blocked brazil.blackholes.us) [1123284] ttogmbnqfeop[at]bpshopfitting.com.au (Chinese agency cracked down on polluters in September Preview ) Wed, 24 Oct 2007 17:57:49 -0300 (Blocked brazil.blackholes.us) [1123285] ttogmbnqfeop[at]bpshopfitting.com.au (Chinese agency cracked down on polluters in September Preview ) Wed, 24 Oct 2007 17:57:49 -0300 (Blocked brazil.blackholes.us) ... A lot more Blocked SpamAssassin ... Link to comment Share on other sites More sharing options...
DavidT Posted October 25, 2007 Share Posted October 25, 2007 It certainly looks like everything is working properly. I'm hoping things will improve for you when the new Zen blacklist is added to the mix. DT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.