RE: [Declude.JunkMail] What to do about spam getting through?

[John Tolmachoff \(Lists\)]

Welcome to the newest fine art, spam detection.   I try to look for patters. They could be URLs in the body, key word strings, strings in the headers and so forth.   One thing I would suggest (if not already used) is to use SpamCheck. Using spam check for body filters is less resource intensive than Declude JM body filters, which are the most resource intensive. I have both a KEYBODY.txt file and a URLBODY.txt file for use with SpamCheck, in addition to tweaks that have been done to the SpamCheck ini file.   I look for patterns in this order: REVDNS HEADERS SUBJECT MAILFROM HELO BODY   Outside of DNS tests, my top reliable tests that I think I have are (not necessarily in order): SURBL (body filter of SPAMCOP DB) KEYSUBJECT (strings of words frequently seen in the subject line) SPAMCHECK GRAYFILTER3 (REVDNS, HEADERS, HELO) GRAYFILTER2 (MAILFROM) SUBJECTSTARTSIS (special characters and other letters generally only seen at the start of a spam subject line) DOTTEDWORDSSUBJECT (strings containing periods where there is generally none) DASHEDWORDSSUBJECT (strings containing dashes where there is generally none) UNDERWORDSSUBJECT (strings containing underscores where there is generally none) GRAYSTRINGMAILFROM (strings often seen in spam mail from)   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, July 26, 2004 5:27 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] What to do about spam getting through?   This is perhaps a bit of a philosophical question as well as a practical one.   I have users sending me back mail that did not get trapped as SPAM which it obviously is. Now when I look it up some of this stuff scores really low (like 20 to 50% of the tag weight). It may not be on any blacklist, it may have minimal text (mostly downloaded pictures) and so I do not catch it. I see that I have a few options   1)   Blacklist it by sender but that is probably mostly a waste of time since the sender gets spoofed and changes 2)   Do nothing and hope that it appears on more DNS tests so that it will trip more test and then get caught (not a great option) 3)   Consider blacklisting the IP but that may not be possible if it is a major e-mail server or may not be possible if it is a zombie 4)   Look for specific words/phrases in the body, subject etc and try filtering on that 5)   Something else, anything else??   It seems to me that these are my options and none of them seem really definitive. Now maybe I am looking for something that doesn’t exist but I thought I would ask here what others do.   Any suggestions, thoughts etc would be appreciated.   Thanx          Goran Jovanovic      The LAN Shoppe

<<image001.gif>>