on Wed, Oct 12, 2005 at 01:33:55AM -0400, Rob McEwen wrote:
I have to correct something... I misspoke. I **used** to use SURBLs for checking headers. I had forgotten that I had stopped doing so a few months ago because (1) too many FPs (for my admitted strict standards), and (2) I made enough great improvements in others parts of my filtering that I felt I could back off on the SURBL-checking of headers.
I'd only be checking the From:, Reply-To:, and Message-Id: (and, possibly, if I were to find a reason to do so, References: and In-Reply-To:), not the Received: or To: or Cc: etc. By "find a reason" I usually mean "get pissed that I got spam I could have blocked by the proper and appropriate application of just one more check" ;)
I'll admit I share JeffC's confusion about why legit mail would contain known spammer domains in the headers, but it sounds like you were more referring to IPs that had been the result of resolving a spammy domain, right?
Most often, if a FP occurred, it was because an IP address used in a spammer's URL would, for whatever reason, also appear in the headers of legit messages.
OK. Where in the headers? Do you recall? (No biggie if you can't)
I recall catching about 50 extra spams a day on my 10K messages/day server by checking the header against SURBL. Statistically, not that much, but every 1/2 percent counts for something and these were ones which, at that time, wouldn't have been caught otherwise.
Good, that's what I'm hoping for. I'm literally down to <10/day, less than that if you consider 419 spam the price of allowing hotmail to relay to any of your users :/ I'd like to achieve a spam-free day here, and I'm looking for the last in the line of defenses, without accepting and analyzing the messages.
I don't think that processing SURBL against headers was a big processing drain... but the FPs were too high for my very strict tastes. Still, it is a VERY good indicator of spam and might work well if integrated into a scoring system and not outright blocked for that alone.
My test implementation simply "tags" suspected messages with a header for filtering via procmail. I haven't seen any hits or FPs yet, but it's early days. But if my analysis is correct, it could mean as much as 1/3 of the spam I let in so far this month could have been caught and rejected.