I know I'm biased, but this is where Message Sniffer could probably help. Rather than researching and tuning for this - if you submit it to our spam@ address we will do all of that automatically, and usually we will capture it. Submitting it to us is much cheaper than doing the research yourself in most cases. There are still new things that get past us, but not for long once we see them.
Our actions usually cover 3, 4, and 5 from your list, including broad heuristics for polymorphic domains and text patterns - such as those from the big huge super clear dvd collection guy. I think we've got that one down to a trickle now - even though they keep pumping out new domains and using new zombies. _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief Sortmonster, www.sortmonster.com On Monday, July 26, 2004, 8:36:13 PM, Kevin wrote: KB> Looks like you have a good handle on it. You need to look at KB> all of these things and choose the ones that fit the particular KB> spam campaign/spammer. KB> � KB> Spam blocking takes a lot of fine tuning. KB> � KB> � KB> Kevin Bilbee KB> -----Original Message----- KB> From: [EMAIL PROTECTED] KB> [mailto:[EMAIL PROTECTED] Behalf Of Goran KB> Jovanovic KB> Sent: Monday, July 26, 2004 5:27 PM KB> To: [EMAIL PROTECTED] KB> Subject: [Declude.JunkMail] What to do about spam getting through? KB> This is perhaps a bit of a philosophical question as well as a practical one. KB> � KB> I have users sending me back mail that did not get trapped KB> as SPAM which it obviously is. Now when I look it up some of KB> this stuff scores really low (like 20 to 50% of the tag weight). KB> It may not be on any blacklist, it may have minimal text (mostly KB> downloaded pictures) and so I do not catch it. I see that I have KB> a few options KB> � KB> 1)������ Blacklist it by sender but that is probably mostly KB> a waste of time since the sender gets spoofed and changes KB> 2)������ Do nothing and hope that it appears on more DNS KB> tests so that it will trip more test and then get caught (not a KB> great option) KB> 3)������ Consider blacklisting the IP but that may not be KB> possible if it is a major e-mail server or may not be possible KB> if it is a zombie KB> 4)������ Look for specific words/phrases in the body, KB> subject etc and try filtering on that KB> 5)������ Something else, anything else?? KB> � KB> It seems to me that these are my options and none of them KB> seem really definitive. Now maybe I am looking for something KB> that doesn�t exist but I thought I would ask here what others do. KB> � KB> Any suggestions, thoughts etc would be appreciated. KB> � KB> Thanx KB> � KB> � KB> �����Goran Jovanovic KB> ���� The LAN Shoppe KB> � KB> � --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
