[Rspamd-Users] Questions regarding how to increase rspamd's coverage on abused legitimate services/"living off trusted services" (LOTS)

[christian]

Am 23.03.2024 um 13:56 schrieb G.W. Haywood:
> Hi there,
> 
> On Sat, 23 Mar 2024, Tobias Westerhever via Users wrote:
> 
>> ...
>> My ideas are as follows:
>> ...
>> ...
>> What do you think?
> 
> Everything you've said is about looking at the message content.
> 
> As far as I'm concerned there are no "trusted services".
> 
>> Any additional improvement potential I forgot ...?
> 
> Look at the message headers.
> 
> The longer I work with mail abuse, the less I look at message content.
> Yes of course there's something to be said for taking a quick look at
> the content, but I tend not to get into it too deeply.  It's been my
> experience, in more than a quarter of a century of fighting both spam
> and malicious mail, that when you start to analyse message content in
> depth (1) returns diminish much more rapidly than effort escalates and
> (2) the effort we're talking about is both brain power and CPU cycles.
> 
> I find that I can make much more difference with much less effort by
> looking at, for example, where the message came from rather than what
> the message contains.
> 
> As far as I'm concerned, if a message has a URL or an attachment then
> it's immediately suspect, and, for example, I tend to have lists of
> things which won't be rejected rather than lists of things which will.
> If nothing else this makes for very much shorter lists which are much
> easier to manage.
> 
> My advice is don't go where you propose to go; it will be painful, it
> isn't actually necessary, and ultimately you'll find that you'll be
> fighting a losing battle.
> 
> But if you do decide to go there, by all means keep us posted. :)
> 

I have sent an email directly to you. Has she arrived?
Christian