Re: I know how it works, but...

Behalf Of Robert LeBlanc
> Kurt Buff wrote:
> > While this sounds very doable, what impact will
this have 
> on the cache? Will
> > a domain/super administrator have more work to do
to clear 
> it periodically?
> > Any other impacts that might have on maintenance?
> 
> Well, the first thing users will notice is that their
spam quarantine
> count will look wrong when they login.  They'll see
that they 
> have, say,
> 320 spam items quarantined, but when they look at the
actual spam
> quarantine they may see a much smaller number, say 80,
and 
> this may lead
> them to wonder where the other 240 items went.  This
could 
> lead to some
> interesting questions coming at you from users, unless
you also adjust
> the SQL query on the welcome.php page to only provide
the 
> count of items
> that score lower than your threshold.

Worth noting - thanks.

> The second side-effect is that the items that score
above this magic
> threshold will be largely neglected unless the
administrators
> impersonate each user's account and do the confirmation
of those
> high-scoring spam items for them.  Otherwise those
items will hang
> around until they age past the expiry threshold (and
thus get 
> deleted by
> the expire-quarantine-cache script).  To make sure you
at 
> least get the
> Bayes training benefit out of those items, I'd suggest
that you enable
> SpamAssassin's auto-learning mechanism, and set the 
> auto-learn threshold
> for spam to the same threshold you're using for this
magic 
> cutoff.  That
> way everything that scores at least that high will be
auto-learned by
> the Bayes as spam anyway, regardless of whether
administrators confirm
> them.  Then all you'd really lose is the ability to
/report/ that
> high-scoring spam (which can only be done by confirming
it).

I've got autolearning turned on - I've always liked that
idea.

> > I'm still trying to convince HR/execs that the
current web 
> interface (which
> > they haven't explored much) is a sufficient
barrier to 
> mitigate their
> > concerns - I've broached the chestnut that not all

> corporate computer
> > problems have a technical solution, and that in
those cases, a
> > managerial/policy/educational solution is the
better 
> answer. We'll see.
> 
> It's probably also worth noting that even if one of
your users does
> release some quarantined spam and decides to forward it
along to a
> co-worker, the mail will more than likely just end up
in the 
> receivers'
> spam quarantines, so the problem your bosses are trying
to 
> solve may not
> really exist after all.

How would this work? The MM machine is a gateway to our
Exchange server -
once MM has passed judgement on the email, and it's been
released from
quarantine, it'll never see the MM box again. Unless you
mean that there are
rules in Outlook that pay attention to the headers, and pass
emails with
spam markup from MM to a folder, and that such markup isn't
stripped when an
email is released from quarantine.

> You're correct to point out to them that basing this
policy 
> decision of
> theirs on an abstract score threshold is not likely to
achieve what
> they're looking for, though.  The only way to guarantee
that 
> it will do
> what they want is to boost the score values of the
individual 
> rules that
> indicate the kind of content they want to prohibit,
such that if even
> one of those rules triggers, the score is guaranteed to
be above the
> magic threshold.  You'd do that by adding a bunch of
"score" overrides
> in your local.cf file.  If your magic threshold was,
say, 15, 
> then you'd
> have entries like:
> 
>  score RULE_X 15.0
>  score RULE_Y 15.0
>  score RULE_Z 15.0
>  ...etc...
> 
> If you wanted to get a bit more sophisticated, you
could add 
> some custom
> META-rules that provide a score boost when particular
combinations of
> other rules trigger together.
> 
> Either way it's not pretty, and it's not really
foolproof; offensive
> spam is going to slip through at some (hopefully very
low) false
> negative rate, and that stuff won't even get
quarantined--it 
> will end up
> getting delivered to the receipients' inboxes as if it
were legitimate
> mail.  If that sort of thing is going to get the execs
up in 
> arms, then
> perhaps they need to be reminded that no spam filter on
the planet is
> going to be 100% effective--Maia can get you above 99%,
but the harder
> you drive toward 100% from there, the more false
positives you invite.


I can play with scoring in conjunction with the SQL queries.
That might
prove useful.




I just had a thought, and wondered how much merit it has. I
haven't trolled
through my current spam quarantine (on an older system using
amavisd-new and
spamassassin), but it seems to me that the most offensive
porn spam doesn't
actually contain the images as gifs/jpegs, but that instead
they are using
urls that load offsite images.

Is this the case?

Would it be possible in such a case to simply rewrite mails
that score high
on the porn scores so that those urls are defanged (and the
emails are still
quarantined as spam?)

Univerally defanging emails would cause howls from end-users
who lose
formatting of their favorite weather/joke/marketing/whatever
emails, but
selective defanging might prove useful

Kurt


  

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Buff wrote:

>> It's probably also worth noting that even if one of
your users does
>> release some quarantined spam and decides to
forward it along to a
>> co-worker, the mail will more than likely just end
up in the 
>> receivers'
>> spam quarantines, so the problem your bosses are
trying to 
>> solve may not
>> really exist after all.
> 
> How would this work? The MM machine is a gateway to our
Exchange server -
> once MM has passed judgement on the email, and it's
been released from
> quarantine, it'll never see the MM box again.

Ah, in that case you're right--unless the mail is getting
processed
through Maia again it won't get quarantined again.  Many
sites have Maia
installed on the organization's mail server itself, in which
case
internal mail gets routed through Maia as usual, but in your
case (where
Maia is run on a separate gateway server, with an internal
mail server
handling internal-only email) that benefit won't be
available.


> Unless you mean that there are
> rules in Outlook that pay attention to the headers, and
pass emails with
> spam markup from MM to a folder, and that such markup
isn't stripped when an
> email is released from quarantine.

That's another possibility, of course, though it would
require you to
configure some rules on the Exchange Server to look for
indications in
the mail headers of internally-circulated email.  Not really
advisable
as a solution, though--you don't want to be asking Exchange
Server to do
its own quarantining in addition to Maia's upstream
quarantining.


> I just had a thought, and wondered how much merit it
has. I haven't trolled
> through my current spam quarantine (on an older system
using amavisd-new and
> spamassassin), but it seems to me that the most
offensive porn spam doesn't
> actually contain the images as gifs/jpegs, but that
instead they are using
> urls that load offsite images.
> 
> Is this the case?

In many cases, yes.  Doing so has a couple of benefits for
the spammer:

(1) It reduces the size of the mailing, so he can pump out
more copies
of the spam in less time, and

(2) It provides a tracking mechanism (so-called "web
bugs") that allows
the spammer to tell whether a given recipient opened the
email, by
correlating the URL with the hits in his web server logs
when the
recipient's mail client sends the request to load those
images.  This
tells him not only what percentage of the recipients
actually saw the ad
images, it also tells him which email addresses those were. 
These
"eager prospects" then become more valuable
addresses for repeat
targeting, demographic profiling, and eventual resale to
other spammers.


> Would it be possible in such a case to simply rewrite
mails that score high
> on the porn scores so that those urls are defanged (and
the emails are still
> quarantined as spam?)

Well, there are some issues with respect to defanging that
make me
hesitant to do anything like this.  The main concern is a
technical
one--defanging implies modifying the mail contents, and that
breaks
signature and encryption schemes that are designed
specifically to
/prevent/ tampering with the contents.  This mailing list
posting, for
instance, bears my digital signature as an assurance that
the mail was
written by me, and that no one along the way between here
and there did
anything to edit my words.  With my public key, you--the
recipient--can
verify that the contents of this mail are just the same as
they were
when I sent it.

Altering the mail contents--whether to remove/neuter
offensive URLs, add
policy/disclaimer footers, or censor profanity--is
necessarily a messy
business, and one that invites criticism on a number of
levels.  The
least-offensive policy for dealing with offensive content is
to flag
and/or quarantine it in its entirety--which is precisely
what Maia does.
 Mail viewed through Maia's web-based mail viewer /is/
defanged in its
"decoded" view, and the "raw" view
doesn't follow any URLs anyway (it
just displays the raw message source).  If you choose to
release the
item from the quarantine, though, what you receive will be
the original
email with all of its offensiveness intact.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGJv3RGmqOER2NHewRArMxAJ0W+SVhVE5N3xkO/P7JzJm+pqqSmACf
YsiL
eAFgW+JnL873QIebL2LhW90=
=oQ8D
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users