|Main Archive Page > Month Archives > spamassassin-users archives|
There is something curious I've noticed... I'm wondering if I'm unique,
and if there's an obvious way to improve my setup.
I was thumbing through my spam folder, and noticed that the bulk of my
spam conformed to a very obvious pattern... On a time period from
minutes to hours, I receive nine identical copies of a spam email from
the same originating IP address all to an identical (often never
published/used) recipient email address. The emails get a high
spamassassin score (between 20 and 40) so I don't see them... but they
do make up a substantial proportion of the volume of spam I'm processing.
I'm interpreting this as a single prolific spamming operation under some
sort of centralised control... based upon the extremely recognisable
The high score often includes a handful of DNS block lists - but this
isn't consistent... and I'm reluctant to completely block email on
account of a DNS block list - since a single false positive would be a
far worse consequence than processing and storing a few thousand spams
I wonder, would it be possible to reject an email identical (same
originating IP; same addressee; same subject) to an email received in
the last minute, say, that had a spamassassin score of over 30? If I
could find a way to do that, I could reduce the volume of spam I have to
process/store by a factor of about 8. Rejecting only emails with
credentials identical to known recent highly scoring spam would make the
risk of false positives minimal.
Does anyone do this already?