info about spam messages

Tom Allison tallison at tacocat.net
Thu Jun 17 10:42:18 CEST 2004 

Tayfun ASKER wrote:
> Hi Tom,
>  I am using bogofilter to classify messages as spam or ham and putting 
> spam classified messages into special spambox folders. I am going to 
> continue with this. But I believe If I can determine frequent spammers, 
> I can block some of the spam flood at MTA level. I am not going to block 
> every address found in the logs automatically. Of course every Form or 
> ip address needs validation before being blocked, and because of this 
> building the access list will be a time consuming process. I can not 
> tell wheter it is worth to spend some time on it right now. I just want 
> to implement this and see the result.
> 
> Regards,
> 

Don't waste your time with the From header tag.  Seriously, it's going 
to be 99% bogus.  More bogus than anything else you can find on a spam 
message.  To even consider it is a complete waste of time.  It's a great 
idea and I can't discredit you for trying, but you'll quickly find it 
just doesn't pan out.

According to From: tags, I like to spam myself a lot.

I also get a lot of delivery failures that repeat themselves multiple 
times with different From names in a matter of minutes.

About the only think that you can trust are header tags that are put 
into the message by your machine(s).  The only useful tag in this will 
be the Received tag which identifies the IP address that connected to 
your mail server to deliver the email.

I've been able to block a significant amount of spam at the MTA with 
postfix.  Yesterdays numbers were:

616 total emails
362 blocked by MTA
32  potential spam (23 spam, 9 Unsure)
ZERO incorrect readings (if you don't count Unsure)

IIRC of the 9 Unsure, three of them where ham.  So this puts me at >90% 
spam blockage at the MTA and either 100.0% or ~97% effective when you 
include bogofilter.

I could do even better at the MTA level, but I just haven't gotten there 
yet.  Greylisting is the latest fad.

Additionally, I took a count of my IP addresses that were sending me 
spam a while back and I believe the numbers came up like this (3 months, 
20,000+ emails):
4100+ IP addresses sent me only one spam
<200 send me the rest of my regular email.
maybe 20 IP addresses sent me spam more than once.

I am not certain of these numbers since I could not find the original 
email.  BTW  http://bogofilter.sourceforge.net/faq.php  bogofilter mail 
archive doesn't...

But the lesson I got here is that unless you are dealing with >>1,000 
emails a day, you probably won't find many repeat customers when it 
comes to catching IP addresses that send spam.

To contradict myself, I do get a lot of repeat IP addresses trying to 
send me spam that get's blocked by my MTA.  But I don't care about them, 
they're already gone.

More information about the Bogofilter mailing list