Interesting games with spam-assassin.

Ceri Davies setantae at submonkey.net
Thu Sep 4 22:28:25 BST 2003


--MT9SxUWSsctiw0kG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 04, 2003 at 08:10:01PM +0100, Josef Karthauser wrote:
> I've been playing around with my spam-assassin configuration and thought
> I'd share some things.
>=20
> Most people probably run spam-assassin locally on their mailbox using
> procmail, but it's becoming more popular to have the MTA filter mail as
> it passes through the SMTP channel.  This is what I do on transwarp
> before forwarding the mail onto the list server at Easynet. What
> I've noticed however is that spam-assassin doesn't necessarily do
> anything sensible if the mail that it is looking at has already
> been marked as spam by another spam-assassin in the chain.  In the
> case of the list things can get quite complicated because one of my
> secondary MX's appears to be running spam-assassin over all mail
> that passes through the server (jump.org.uk), even mail that is
> being relayed.  I'm running spam assassin here and then Easynet appear
> to be running it there too.  Then the mail gets sent to the
> list-members, many of which are running spam-assassin.
>=20
> Here's an example:
>=20
>     51951 Prespamassassinated! Removing headers!!
>     51951 X-Spam-Level: ******
>     51951 DOM: tao.org.uk [brueffer at FreeBSD.org joe at tao.org.uk]
>     51951  spam!!
>     51951 X-Spam-Level: ***********
>=20
> This is a piece of spam that I've just received, supposedly from
> 'brueffer at FreeBSD.org' to 'joe at tao.org.uk'.  It came in already
> spam-assassinated, with a spam level of 6.  After reversing the
> assassinatin that was previously done I ran spam-assassin on it again,
> and this time it got locally assigned a level of 11.

I've also noticed this since I started rejecting mail with more than 12
spamassassin points at SMTP time; mail that has already been filtered
through seems to be accepted even though it scores over that (I chose 12
as a level at which I was reasonably "certain" that the mail would be spam).
Everything else gets let through (unless clamav thinks it contains a virus),
with no spamassassin headers (or rather, my MTA doesn't add them; if they
were there before then they stay there) and local users can then filter more
aggressively if they so wish.  Zero false positives so far.

I'm only doing this for mail incoming to submonkey.net though, which has no
paying customers (so the users get what they're given).

> What to do?  I think that the only sensible thing to do is to ignore any
> spam-assassin that others do in passing, (with spamassassin -d) and then
> re-classify it locally.  That is what I'm going to do with the list mail
> at least.  I'll reverse and redo spamassassination and then throw the
> mail away if I locally think that it's spam.  This should cut the spam
> level to the list down by most of it.
>=20
> Does this sound a sensible approach?

I'd say so, yes.

> I wonder what the ethics are of filtering mail that is being relayed for
> others.  Am I doing a service by doing this, or is it none of my
> business?  I kind of feel the later, and would adopt that I don't filter
> for mail that is being relaxed, but do for mail that lands locally (that
> is my responsibility).  There's a grey area here in which I have mail
> addresses locally, like the ukug.uk.freebsd.org ones, which actually get
> forwarded on to another address.  I feel that these are actaully local
> addresses and so should be filtered.

I'd agree with the latter idea too, although my MTA (exim, though I'm sure
others allow it) has enough hooks that I could trivially implement the
550-incoming-mail-over-12-points check, while allowing users who don't want
it to opt out (or vice versa).

For the case in point of this list, however, I'd suggest that a bit of
mandatory spam filtering is fair game, if you have the resources to do it.

Ceri
--=20
User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR?
Iniaes: Sure, I can accept all forms of payment.
                                           -- www.chatterboxchallenge.com

--MT9SxUWSsctiw0kG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/V655ocfcwTS3JF8RAgK4AKCNSD9vTtIuQm5ZPYSay1EMzdc2dgCeN9yX
q2VpKGXTiqTjrRVFrcW6rLQ=
=XXkO
-----END PGP SIGNATURE-----

--MT9SxUWSsctiw0kG--




More information about the Ukfreebsd mailing list