Try not to "whitelist" things over which you have no control over or a relationship with, and when you do, and use the IP whenever possible.
When it comes to things like this, you should set up a "pseudo-whitelist," which credits some points, but only enough to mitigate the false postives that you are seeing on those sources. This way you will still have the benefit of the custom filters that you are running as well as external tests, or rather you might not want to take away all the false positive points and start the bar a bit higher since this is a known issue.
You create a pseudo-whitelist by setting up a custom filter as a negative scoring test. It might be best to score the filter at a fixed amount and then make adjustments to the individual lines when necessary. I have mine set up primarily to help with things might fail SpamCop or MailPolice, so the default credit that I give is about 80% of fail weight. It's also important to look for the least likely to be spoofed identifier. IP's are the best but hard to come by, REVDNS is the next best choice. Things like MAILFROM are consistently spoofed if the claimed source is popular (like an ecommerce site or ISP). A HEADERS filter can also be done in instances where the MAILFROM is dynamic and is a source for multiple content providers (such as third party bulk mailers). It's best to stay away from the BODY when possible and counterbalance in the custom filters that might have issues, though Sniffer may need a BODY filter to counterbalance for an FP there.
Matt
David Dodell wrote:
I have Imail/Declude Junkmail/Virus running as a front end for another server which is using Lyris for multiple mailing lists.
I had a problem in the past that certain ISP's (ie bellsouth.net) would fail multiple SPAM tests, so users posting to those lists would have their mail rejected.
I decided to try and get around it by whitelisting the names of the mailing lists, ie [EMAIL PROTECTED], in the thoughts that Spam would be rejected by Lyris since the spammer was not a subscriber to the list. Works well.
However, I'm noticing some spam is getting through by having the mailing list name, with a bunch of other accounts, ie mine, postmaster, etc all as part of the CC line.
Since one of the accounts is whitelisted, it appears that Declude is whitelisting the message and letting it also get through to all of the other accounts on that cc line.
Any suggestions on how I can deal with this? I thought that I might have to make a "user" configuration file per mailing list which I could just WHITELIST as the entry, but if I do this, will it still whitelist the email for the others on the cc line?
David
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
