Hi; This brings out an interesting point. Would it not be easier if tests could be defined that are combination of tests? (or does such a thing exists and I don't know about it?).
This would be something like saying 1 + 2 + 3 = 100 but each test by itself is weighed quite low. The challenge we are finding is a combination of custom filters being hit and the likes of HELOGOBUS and REVDNS could be a deadly combination and one that is hard to optimize. But lets say that combination tests could be rated high such as: LOOSENSPAMHEADERS+SPAMHEADERS and ROUTING that if all 3 are hit then the weight is higher than the sum total of each element. This is specially important since we notice SPAMHEADERS being triggered by a lot of lists and discussion groups. In one discussion Scott stated the country filter is cumulative. I have noticed interesting patterns. For example if an eMail is originating in a country and it goes around the globe to come back to the same country should it not receive a higher weight rather than the sum total of all countries? I have seen: United States > China > Singapore > Netherlands > Uruguay -> destination (which in this case is US). If the Start and End are equal then it should be rated high. This will also (possibly) not cause problem for international emails since they have to travel through nodes but will hardly have to hit the same country twice. Just some thoughts... Regards, Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Thursday, November 21, 2002 6:51 PM To: '[EMAIL PROTECTED]' Subject: [Declude.JunkMail] forum for fighting fake From: fingerprint One particularly aggravating type of spam is where the from: is faked to be from the recipient or the recipient's own domain. I saw in the archive that this thread has been touched on before, but how about once more around the mulberry bush? I believe Scott mentioned that this behaviour counted as spammish behaviour in SPAMHEADERS, but I think a more pointed ruleset would be very effective against this kind of spam. My assumption is that the way to implement this is to use an external program to check a) the direction of the message, b) compare the from: (or envelope to:?) and to:, and then c) check for exceptions (e.g. the road warrior, the Blackberry pager). Or is it all moot, because you're finding that spam with this "fingerprint" is pretty well always caught because of other spammy characteristics? I've found that HELOBOGUS, REVDNS, BADHEADERS and MAILFROM are all really good indicators of spam, but that they are also indicators of a sloppy mail admin and are thus way too common with normal mail. I've lowered their weight, therefore, my HOLD weight is high enough to not hit on them in combination. OTOH, I've found that LOOSENSPAMHEADERS+SPAMHEADERS and ROUTING to be worth their weight in gold. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
