EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 24 Apr 2019, 02:43 PM   #31
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
Quote:
Originally Posted by SideshowBob View Post
Lots of spam passes those tests these days. It's only worth anything if it's combined with some kind of domain reputation information.
Agreed. And, what fraction of ham passes those tests, and more importantly, (how) is FM evaluating domain reputation?
elvey is offline   Reply With Quote
Old 27 Apr 2019, 09:27 PM   #32
snappy
Junior Member
 
Join Date: Nov 2014
Posts: 8
I have a FreeBSD server that runs a daily security check and emails the result. There are numerous brute-force SSH attempts with suspicious reverse DNS which seems to trip a lot of the filters. Sometimes VADESPAM appears with a +5 increment tipping over my custom threshold of 8. If if it weren't for VADESPAM false positives would be highly unlikely.

I think FM should ditch VADESPAM. Using this thread as a reference it doesn't seem to benefit its users. Furthermore it's a proprietary black box check. Transparency in spam filtering is key; I like to fully understand how spam scores are being derived for each message. This is one of the key reasons I dislike Gmail.
snappy is offline   Reply With Quote
Old 27 Apr 2019, 10:12 PM   #33
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 545
Quote:
Originally Posted by snappy View Post
I think FM should ditch VADESPAM.
Based on my experience (see posts above), I think changing its score to +2 would make it useful without being overwhelming.

I see no evidence that it shouldn't be added to the bag of tools. The problem is that with a score of +5, FM is basically saying that a positive hit is absolutely always correct.

Quote:
Using this thread as a reference it doesn't seem to benefit its users.
Absence of evidence is not evidence of absence.

We don't know how many users FM has, but it's plainly obvious that far under 1% ever post here -- probably far under 1% of 1%. Happy users aren't talking about VADESPAM. This thread is extremely lopsided for the combination of these reasons.

Edward
paleolith is offline   Reply With Quote
Old 30 Apr 2019, 07:02 AM   #34
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
ME_VADESPAM works well for me, I've seen a few FPs on the rule, but they all occurred in a single 4 day period in December, so I'm willing to put that down to teething problems.

Scoring it at 5.0 is not saying that anything that hits the rule will be treated as spam, if you have a well-trained Bayes most of your ham should have a negative score.

VADE is a full spam filter in its own right; IMO it doesn't make any sense to score it below 4.2 or it can't help with spams that go though SA hitting nothing but BAYES_50.
SideshowBob is offline   Reply With Quote
Old 30 Apr 2019, 08:37 AM   #35
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Quote:
Originally Posted by snappy View Post
I have a FreeBSD server that runs a daily security check and emails the result. There are numerous brute-force SSH attempts with suspicious reverse DNS which seems to trip a lot of the filters. Sometimes VADESPAM appears with a +5 increment tipping over my custom threshold of 8. If if it weren't for VADESPAM false positives would be highly unlikely.
Whitelist it or have it bypass spam filtering.

You are emailing text that probably contains the hostnames of compromised servers, some of which may have been controled by spammers or used for hosting malware.

There may also be anomalies in your setup that suggest it's not a well run mail server. Bear in mind that Fastmail is very lax about what they accept via their MTA and will accept things that most mail servers would reject outright.
SideshowBob is offline   Reply With Quote
Old 30 Apr 2019, 08:42 AM   #36
snappy
Junior Member
 
Join Date: Nov 2014
Posts: 8
Quote:
Originally Posted by SideshowBob View Post
Whitelist it or have it bypass spam filtering.

You are emailing text that probably contains the hostnames of compromised servers, some of which may have been controled by spammers or used for hosting malware.

There may also be anomalies in your setup that suggest it's not a well run mail server. Bear in mind that Fastmail is very lax about what they accept via their MTA and will accept things that most mail servers would reject outright.
Correct - it's definitely the bad SSH attempts with the reverse DNS pointing at compromised hosts.

Here's a snippet of the spam hits header:

Code:
X-Spam-score: 8.7                                                                                                                                               
X-Spam-hits: BAYES_00 -1.9, ME_FROM_EQ_TO 0.01, ME_NOAUTH 0.01,                                                                                                 
        ME_NOAUTH_FROM_EQ_TO 1.5, ME_VADESPAM 5, ME_ZS_CLEAN -0.001,                                                                                            
        URIBL_DBL_SPAM 3, URI_HEX 1.122, LANGUAGES unknown, BAYES_USED user,                                                                                    
        SA_VERSION 3.4.2
Without VADESPAM and a score threshold of 8, it'd be incredibly rare to have false positives or negatives. I've had these cronjob and spam filtering setup for years. Only had issues since VADESPAM. I now have rules to bypass cron emails for spam.
snappy is offline   Reply With Quote
Old 19 May 2019, 02:28 AM   #37
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
Quote:
Originally Posted by snsh View Post
[reasons]...
I don't advocate for whitelisting those TLDs, but bias the total score. Say, -10 for .MIL signatures and -5 for .GOV signatures.
Yes, for DKIM-signed, weights like you proposed make sense.
elvey is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:18 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy