Prev: "user unknown" when switching LDA
Next: Suppress "Command died with status 1" in Pipe transport
From: Antoine Nguyen on 18 Jun 2010 04:36
Hi all,

I'm facing a stupid situation and I'm looking for advises. I'm using a
postfix relay to filter viruses and spams. All is working well except
with spam that use the same declared address for both sender and
recipient. What happened in this particular situation is described as
follow:
* The spam is detected,
* A notification is sent (with the original message as an attachment),
* The targeted recipient in my domain receives that notification.

Conclusion: the spam is passed! I could stop sending notifications but I
think my employer would not like it...

I'm sure some of you have already faced and solved this kind of
situation. I'm looking for your help :-)

Thanks in advance,

Antoine.

From: Michael Weissenbacher on 18 Jun 2010 05:15
> Conclusion: the spam is passed! I could stop sending notifications but I
> > think my employer would not like it...
Short answer:
You should NEVER notify anyone about detected spam! This will
effectively make yourself a spam source. It's even worse when you attach
the original message.

hth,
Michael

From: Antoine Nguyen on 18 Jun 2010 05:17
Le 18/06/2010 11:15, Michael Weissenbacher a écrit :
>> Conclusion: the spam is passed! I could stop sending notifications but I
>>
>>> think my employer would not like it...
>>>
> Short answer:
> You should NEVER notify anyone about detected spam! This will
> effectively make yourself a spam source. It's even worse when you attach
> the original message.
>
> hth,
> Michael
>
I agree with that... but what about false positives?

From: Mark Goodge on 18 Jun 2010 05:28
On 18/06/2010 10:17, Antoine Nguyen wrote:
> Le 18/06/2010 11:15, Michael Weissenbacher a écrit :
>>> Conclusion: the spam is passed! I could stop sending notifications but I
>>>> think my employer would not like it...
>> Short answer:
>> You should NEVER notify anyone about detected spam! This will
>> effectively make yourself a spam source. It's even worse when you attach
>> the original message.
>>
>> hth,
>> Michael
> I agree with that... but what about false positives?

There are three main options:

1. Just discard spam.

2. Quarantine spam, and allow the user to check their quarantine folder
and release it if necessary.

3. Don't intercept spam, just tag it and leave the actual filtering to
the recipient's own system.

I'm not a great fan of quarantining, although it works fairly well for
webmail systems where the quarantine can be accessed through the same
interface as the inbox (eg, Gmail and Hotmail). It's less helpful where
mail is delivered to a POP3 or IMAP box as users have to go to a
separate interface to check the quarantine.

Personally, I prefer to have an approach that's split between discarding
and tagging - discard anything that's a definite spam, and tag the rest.
That way, you minimise the worst effects of spam while not blocking
anything that might generate a false positive.

Mark
--
http://mark.goodge.co.uk

From: Antoine Nguyen on 18 Jun 2010 05:35
Le 18/06/2010 11:28, Mark Goodge a écrit :
> On 18/06/2010 10:17, Antoine Nguyen wrote:
>> Le 18/06/2010 11:15, Michael Weissenbacher a écrit :
>>>> Conclusion: the spam is passed! I could stop sending notifications
>>>> but I
>>>>> think my employer would not like it...
>>> Short answer:
>>> You should NEVER notify anyone about detected spam! This will
>>> effectively make yourself a spam source. It's even worse when you
>>> attach
>>> the original message.
>>>
>>> hth,
>>> Michael
>> I agree with that... but what about false positives?
>
> There are three main options:
>
> 1. Just discard spam.
>
> 2. Quarantine spam, and allow the user to check their quarantine
> folder and release it if necessary.
>
> 3. Don't intercept spam, just tag it and leave the actual filtering to
> the recipient's own system.
>
> I'm not a great fan of quarantining, although it works fairly well for
> webmail systems where the quarantine can be accessed through the same
> interface as the inbox (eg, Gmail and Hotmail). It's less helpful
> where mail is delivered to a POP3 or IMAP box as users have to go to a
> separate interface to check the quarantine.
>
> Personally, I prefer to have an approach that's split between
> discarding and tagging - discard anything that's a definite spam, and
> tag the rest. That way, you minimise the worst effects of spam while
> not blocking anything that might generate a false positive.
>
> Mark
..
That's a good approach. I'm already discarding true spams and tagging
the rest (amavisd-new tag2 and kill levels). I think I'm going to
deactivate notifications and wait for eventual complaints from my users
about emails not arriving :-)

Many thanks for those quick answers.

Antoine.

 |  Next  |  Last
Pages: 1 2 3
Prev: "user unknown" when switching LDA
Next: Suppress "Command died with status 1" in Pipe transport