[unisog] .edu's who use SpamCop?

Sylvain Robitaille syl at alcor.concordia.ca
Tue Dec 16 22:15:57 GMT 2003


On Tue, 16 Dec 2003, Rodrigues, Philip wrote:

> We are currently using SpamCop's dynamic list of spammers to reject
> some mail sent to the University.  This has the benefit of blocking
> lots of spam, and the drawback of occasionally blocking legitimate
> mail from sources SpamCop has determined to be spammers.

SpamCop's greatest flaw, in my opinion, is that it almost blindly trusts
the users reporting spam, and that has too much potential for large
amounts of "collateral damage".

I use SpamCop in conjunction with SpamAssassin, to add "weight" to the
probability that a particular message is spam, but I would not use it to
unilaterally tag a message as spam.  The same is true of most of the
blacklists we use (I tested a number of these for several weeks at a
time, and any that resulted in even a single false-positive report were
relegated to "SpamAssassin-only" duty;  two were moved into Sendmail's
own checks, but very few messages get stopped from those).

> I am looking for support for and against this policy:

Spam filtering is only getting harder to do effectively.  My primary
mail server alone has blocked nearly 1 million messages in the past 3.5
months, based on SpamAssassin scores, (the block threshold is up around
14 or so, and some rules have been reconfigured with different scores
than the default, in an attempt to reduce false-positives).

I just happened to have been grepping through my mail logs today,
looking for statistics of what spam detection mechanisms have been the
most effective.  SpamAssassin (with use of DNSBLs, but no Razor, Pyzor,
or DCC, and no Bayes, as I haven't yet found a way to make it possible
for all our users to correctly train the Bayesian learner) is certainly
the most effective, but can only go so far before you run into false
positives in an environment such as ours (and I imagine most
universities).

I created a "rule" in MIMEDefang which checks for a host outside of our
network providing an HELO argument which claims to be a host within our
network (or any host in our domain, actually).  This is easily the
second most effective spam-detection mechanism we have, and I can't
think of a single case which would cause a false-positive on this rule.

What frustrates me is the amount of spam that *still* gets through ...

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems analyst / Postmaster                      Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------



More information about the unisog mailing list