Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress

[Bill Landry]

We whitelist the IP address of any system we permit to relay through our IMail server, and all of our customer either use SMTP Auth or we whitelist their IP address space.  So the only time we have see a problem is with some mailing lists and e-card services, which we accommodate via filtering.   As a quick test, I separated out my hosted domains from the SPAMDOMAINS file and created a new spamdomains test called FORGED-DOMAINS.  Here are the subjects of the messages I have flagged with this test within the past 5 minutes:         2 Subject: Complimentary 30 Day Supply of Phentermine!       1 Subject: [NAME WITHHELD] Where to deposit your Payroll?       1 Subject: Someone wants to date you       1 Subject: Self-paced degree programs for busy adults       1 Subject: Please claim your gift       1 Subject: Lowest Mortgage Rates in 45 Years!       1 Subject: Get a Proven Anti - Aging Creme at No Charge       1 Subject: Credit Relief       1 Subject: Complimentary 30 Day Supply of Phentermine!       1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets       1 Subject: 4 F r e e Airline Tickets + $100 Cash Back       1 Subject: 3 months of FREE Satellite TV       1 Subject: 0% Auto Loans!       1 Subject:  you are *approved already. No credit check   Looks like a very effective test to me.   Bill ----- Original Message ----- From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:16 PM Subject: Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress Bill, It's because it is very rare that you see spam faking your address, 0.1% from a recent test, and much more common that false positives will be created as was noted.  I was able to monitor this behavior because unfortunately the DYNAMIC filter catches but doesn't score intra-server domain E-mail, and I searched for this knowing they would all be in there.  In other words, filtering for from addresses faked to say they are from your own domain would have a false positive rate of around 75%, or at least that would be so on my server.  One prime example is that many of my customer's Web sites with forms will send the submission as if it came from the customer's own domain, and thus fail the test.  Lots of ecommerce is done this way.  It's a very bad idea in my opinion.  Maybe I'm missing something though??? Using SPAMDOMAINS to filter for local domains would also be just as problematic I would think.  You might not have issues based on the makeup of your customers and maybe not caring too much about gray area commercial stuff like greeting cards which might fail the filters.  No way would I start whitelisting stuff either based on something which would properly add points so rarely.  Are you not seeing the same very low incidence of this type of thing?  or is that unique to my own customer base? Matt Bill Landry wrote: ----- Original Message ----- From: Matthew Bramble I highly recommend not filtering the fake MAILFROM for your local domains. Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I don't see a problem doing it with MAILFROM in a filter file either. Bill