Darin Cox wrote:
The remote IP is already there, but the reverse DNS isn't. I would think that is more valuable than having the Message-ID like we have now, but Scott's away for a week so I would save such requests for when he gets back.
I too would love to have access to a variable that tracks the From address and not just the Mail From address (is that what you are getting at?). Currently this would have to be done in an external test which included header parsing to extract the From address since Declude doesn't currently provide that as a variable, though you could pass in the Mail From as a variable. I'm not sure though what the best approach would be to making use of this data as far as reliable scoring goes.
It's been discussed before. There are ways to query whois data and parse it on the fly, however currently every whois server that I am aware of has limitations that prohibit automated queries. There is also no caching mechanism for this data, so every time you check a domain, you have to do everything all over again, and that can be expensive. This would be most useful on domains parsed from the body of messages since the domains in zombie spam are mostly very short-lived and new. I think what really needs to happen here is for someone to come up with system where you query DNS (for caching), and if a domain isn't contained within DNS when queried, it is sought out and discovered for future queries. I would imagine that with BIND, you could do this by parsing the logs for non-matches and then automating the queries and subsequent population of the data (Windows can also be set up to log all queries). In such a system, there should be no reason why you couldn't query Mail From domains, reverse DNS domains, or URL domains. Also, if you cache the whois data on a centralized server, the number of queries on the registry shouldn't be that high. I'm game for throwing in some time this if there's a programmer around here that could handle the parsing/querying piece. I think there are much stronger and more common patterns to tag here. I could be missing something though because zombies do very poorly on my system thanks to Sniffer and a multitude of pattern filters, and RBL's of course.
Most around here don't use spam traps, they just look through held messages for patterns or IP's. Personally I have built a DNSBL/RHSBL that hits almost as often as SBL by simply finding a spammer's IP and then researching it manually so that I can identify whole blocks. Automating this sort of thing can be quite difficult because spam doesn't always come from servers or zombies operated by spammers. I've personally opted to go after static spammers, primarily because it is within my means, and because more than 90% of the spam that gets through my system comes from static spammers. I am not a big fan of automation because the value of a test is greatly impacted by the number and type of false positives. If you are looking for value from spam traps, Sniffer does a wonderful job and they will tag about 95% of the spam reaching your system and it's well worth paying for it when you might otherwise spend a lot more time building something automated that falls far short of it's accuracy and results. My only issue with Sniffer is with the false positives. Because it hits 95% of the spam, there are a fair number of false positives (although relatively few in comparison of hit rates on other tests), primarily on relationship-marketing materials that I don't consider spam, but others report as spam. These messages also commonly get SpamCopped or fail unreliable tests like FiveTen and SORBS because it's borderline and IMO bad judgement/overzealousness taints all such data. When you report a false positive to Sniffer, they might remove it from their system, or they will at least remove it from your own unique rule base. Sniffer does though use SpamTraps to populate their data. I'm sure that others have all sorts of varying opinoins on these things, so maybe they'll chime in. Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
