Hi Bill: You are right... No disagreement here. We had negative MAILFROM but it was being abused like crazy. We were getting so much spam from faked addresses. We now have a negative list for mailing lists and at times we see email coming through.
REVDNS whitelist has worked well and we have not yet seen any abuses - but as a rule I agree with you it can be abused. Since someone asked about our whitelist- here it is (these are the general items - we have in this list some of our clients with screwed up server setups but are taken out in this list). This goes in the Global.cfg file. WHITELIST REVDNS .airborne.com WHITELIST REVDNS .amazon.com WHITELIST REVDNS .audible.com WHITELIST REVDNS .bestfares.com WHITELIST REVDNS .cnet.com WHITELIST REVDNS .dell.com WHITELIST REVDNS .dowjones.com WHITELIST REVDNS .ebay.com WHITELIST REVDNS .equifax.com WHITELIST REVDNS .fedex.com WHITELIST REVDNS .gartner.com WHITELIST REVDNS .getactive.com WHITELIST REVDNS .hertz.com WHITELIST REVDNS .house.gov WHITELIST REVDNS .ibm.com WHITELIST REVDNS infoworld.wc09.net WHITELIST REVDNS .ipswitch.com WHITELIST REVDNS .j2.com WHITELIST REVDNS .kintera.com WHITELIST REVDNS .looksmart.com WHITELIST REVDNS .luxurylink.com WHITELIST REVDNS .macromedia.com WHITELIST REVDNS .microsoft.com WHITELIST REVDNS .microsoft.m0.net WHITELIST REVDNS .moveon.org WHITELIST REVDNS .msnbc.com WHITELIST REVDNS .nytimes.com WHITELIST REVDNS .officemax.com WHITELIST REVDNS .openitx.com WHITELIST REVDNS .oracle.com WHITELIST REVDNS .paypal.com WHITELIST REVDNS .philanthropy.com WHITELIST REVDNS .schwab.com WHITELIST REVDNS .sears.com WHITELIST REVDNS .shockwave.com WHITELIST REVDNS .thawte.com WHITELIST REVDNS .travelzoo.com WHITELIST REVDNS .truste.org WHITELIST REVDNS .ups.com WHITELIST REVDNS .usairways.com WHITELIST REVDNS .veritas.com WHITELIST REVDNS .zd-swx.com Regards, Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, September 14, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OBFUSCATION filter Kami, the only reason I mentioned PayPal to Matt was because I figured he would be tracking FPs regarding his Obfuscation test. The PayPal message in question here did get delivered without user intervention, however, it was not due to PayPal being whitelisted. I don't like to whitelist anything except "TO" addresses, since anything else that is whitelisted can be abused, including RDNS. Instead, we apply a high enough negative weight to three primary filter tests (HELO, RDNS & MAILFROM) to trusted mailers so that they will generally pass with an acceptable weight and get delivered without user intervention; however, anything sent by a spammer abusing these trusted mailer addresses will still likely get caught because they probably will not pass all three of these primary tests, and will most likely fail other JunkMail tests, as well. When something is whitelisted, no other tests can be run against these messages and they simply get delivered, no matter what. However, if you instead apply a minimal negative weight to multiple tests, forged e-mail will still likely get caught and not delivered. Using PayPal as an example, if you whitelist RDNS, or MailFrom, or HELO, etc., if a spammer happens to forge their messages using any of these, there spam gets delivered, no matter what other tests it might have failed. However, if you instead apply minimal negative weights like: MAILFROM -5 ENDSWITH .paypal.com REVDNS -5 ENDSWIDTH .paypal.com HELO -5 ENDSWITH .paypal.com This give legitimate PayPal e-mail a total negative of -15, which will most likely allow it to be delivered, even if it fail a couple of other tests. However, the likelihood of a spammer being able to successfully meet all three of these criteria is highly unlikely, and even if they did, there are still all of the other spam tests that JunkMail supports that we can run against these messages and still probably block it's delivery. It basically gives a fighting chance against forging spammers who attempt to abuse spam-test whitelists. Just my 2 cents... Bill ----- Original Message ----- From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 14, 2003 6:04 PM Subject: RE: [Declude.JunkMail] OBFUSCATION filter > Bill: > > We have a lot of these well known sites in our whitelist as REVDNS. > > WHITELIST REVDNS .paypal.com > > Paypal has been there for ages, same with eBay, IBM, Oracle, etc. The > REVDNS is almost foolproof way of letting paypal come through without > worrying about anything. > > Regards, > Kami > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Sunday, September 14, 2003 3:44 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > Just an FYI, I've added: > > MAILFROM -7 ENDSWITH paypal.com > > to the "Test Exclusions", as it was flagged by the Obfuscation test. > > Bill > ----- Original Message ----- > From: "Matthew Bramble" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, September 14, 2003 12:27 PM > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > > Thanks Bill. And I've got a few more in me I believe :) > > > > Matt > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.