[Rspamd-Users] Questions regarding how to increase rspamd's coverage on abused legitimate services/"living off trusted services" (LOTS)

[G.W. Haywood]

Hi there,

On Sat, 23 Mar 2024, Tobias Westerhever via Users wrote:

> ...
> My ideas are as follows:
> ...
> ...
> What do you think?

Everything you've said is about looking at the message content.

As far as I'm concerned there are no "trusted services".

> Any additional improvement potential I forgot ...?

Look at the message headers.

The longer I work with mail abuse, the less I look at message content.
Yes of course there's something to be said for taking a quick look at
the content, but I tend not to get into it too deeply.  It's been my
experience, in more than a quarter of a century of fighting both spam
and malicious mail, that when you start to analyse message content in
depth (1) returns diminish much more rapidly than effort escalates and
(2) the effort we're talking about is both brain power and CPU cycles.

I find that I can make much more difference with much less effort by
looking at, for example, where the message came from rather than what
the message contains.

As far as I'm concerned, if a message has a URL or an attachment then
it's immediately suspect, and, for example, I tend to have lists of
things which won't be rejected rather than lists of things which will.
If nothing else this makes for very much shorter lists which are much
easier to manage.

My advice is don't go where you propose to go; it will be painful, it
isn't actually necessary, and ultimately you'll find that you'll be
fighting a losing battle.

But if you do decide to go there, by all means keep us posted. :)

-- 

73,
Ged.