[WBEL-users] Re: SpamAssassin without Razor

Randy Kelsoe randykel@swbell.net
Mon, 25 Oct 2004 18:40:09 -0500 

Mike Staver wrote:

> So what I'm trying to say is that if you look at the content of the 
> spam, almost all the messages I'm getting slipping through are about 
> Viagra and are formatted almost exactly the same.  Some spammer 
> figured out how to get around SA 2.64 and my guess is that if you 
> haven't started to get this kind of spam, you will. I need to figure 
> out how to get 3.0 to work on whitebox so I can try that version and 
> see if I get any improvement.
>
>
>>
>> On Sunday 24 October 2004 11:19, Mike Staver wrote:
>>
>>> I've heard about razor and spamassassin working nicely together.
>>> However, I'm not sure what razor is exactly or how to implement it. 
>>> I've
>>> noticed that spammers have really got SA's number for version 2.64, and
>>> almost 60% of all spam is getting into my inbox as of yesterday even
>>> though my threshold is set to 3.5 and I have no custom rules turned on
>>> or off, just using defaults.  Is anybody using spamassassin in combo
>>> with something else like razor that helps out at all?
>>

For me, spamassassin is just one of many tools to use against spam. I 
have gone from about 4,000 spam emails a day to about 1-2 every 3 days. 
I am using MailScanner, spamassassin, procmail filters on each account, 
and postfix with their anti-spam options. MailScanner has its own spam 
detection, and calls f-prot to scan for viruses. In the procmail filters 
for each account, I look for keywords (like bargain, sale, jackpot, 
offers, etc.) in the From: field and send those straight to /dev/null. 
Any mail from know good addresses goes through an attachment filter, 
then goes straight to a mailbox. I have setup 'helo_checks' for postfix 
and discard spam from certain IP addresses and certain domain names. I 
have enabled  blacklists with postfix, and that eliminates quite a few 
pieces of spam from known spamming domains. I have analyzed many mail 
headers, and when I get something from China, Korea, or Thailand, I look 
up the IP address and block the organization's entire IP address range 
at the firewall, or in my helo_checks. If you take the time to carefully 
examine the mail headers, you will see that a lot of spam comes from the 
same IP address range, with many different domain names for the same IP.

I will be glad to share what I have with you, if you like. Email me off 
list and I can send you some of my config files that make it work.

RK