[WBEL-users] Re: SpamAssassin without Razor
Randy Kelsoe
randykel@swbell.net
Mon, 25 Oct 2004 18:40:09 -0500
Mike Staver wrote:
> So what I'm trying to say is that if you look at the content of the
> spam, almost all the messages I'm getting slipping through are about
> Viagra and are formatted almost exactly the same. Some spammer
> figured out how to get around SA 2.64 and my guess is that if you
> haven't started to get this kind of spam, you will. I need to figure
> out how to get 3.0 to work on whitebox so I can try that version and
> see if I get any improvement.
>
>
>>
>> On Sunday 24 October 2004 11:19, Mike Staver wrote:
>>
>>> I've heard about razor and spamassassin working nicely together.
>>> However, I'm not sure what razor is exactly or how to implement it.
>>> I've
>>> noticed that spammers have really got SA's number for version 2.64, and
>>> almost 60% of all spam is getting into my inbox as of yesterday even
>>> though my threshold is set to 3.5 and I have no custom rules turned on
>>> or off, just using defaults. Is anybody using spamassassin in combo
>>> with something else like razor that helps out at all?
>>
For me, spamassassin is just one of many tools to use against spam. I
have gone from about 4,000 spam emails a day to about 1-2 every 3 days.
I am using MailScanner, spamassassin, procmail filters on each account,
and postfix with their anti-spam options. MailScanner has its own spam
detection, and calls f-prot to scan for viruses. In the procmail filters
for each account, I look for keywords (like bargain, sale, jackpot,
offers, etc.) in the From: field and send those straight to /dev/null.
Any mail from know good addresses goes through an attachment filter,
then goes straight to a mailbox. I have setup 'helo_checks' for postfix
and discard spam from certain IP addresses and certain domain names. I
have enabled blacklists with postfix, and that eliminates quite a few
pieces of spam from known spamming domains. I have analyzed many mail
headers, and when I get something from China, Korea, or Thailand, I look
up the IP address and block the organization's entire IP address range
at the firewall, or in my helo_checks. If you take the time to carefully
examine the mail headers, you will see that a lot of spam comes from the
same IP address range, with many different domain names for the same IP.
I will be glad to share what I have with you, if you like. Email me off
list and I can send you some of my config files that make it work.
RK