|
My GRAY filters are for those items either do not fall into any other category, or which are worth only a small weight.
I use the weighting system exclusively, so that no one failure can cause an action on a message.
I hold from 25-34, using SpamReview daily to check and adjust filters.
Best practice will depend upon use. Corporate best practice will be dictated by corporate policy. ISP best practice is very gray at best, except for the obvious stuff. It also depends on the cliental. You will not use the same best practice for a real estate client as for a lawyer as for a health care client.
John Tolmachoff Engineer/Consultant/Owner eServices For You
-----Original Message-----
Welcome to the newest fine art, spam detection.
And to think I took Science degree in University since I though that would be useful J
I will look into SPAMCHECK. I am not using it but I am using a number of Kami’s body filters.
Below you say that you have GRAY filters. What do you mean? Filters that trigger occasionally or filters that are not very positive in identifying SPAM? Do you score them as 50% of tag weight or less/more?
Do you actually HOLD spam and review or just tag it and send it and then only deal with what the clients send back?
I guess what I am kind of looking for is a Best Practices Guide and I do not know if one exists.
Thanx
Goran Jovanovic The LAN Shoppe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Welcome to the newest fine art, spam detection.
I try to look for patters. They could be URLs in the body, key word strings, strings in the headers and so forth.
One thing I would suggest (if not already used) is to use SpamCheck. Using spam check for body filters is less resource intensive than Declude JM body filters, which are the most resource intensive. I have both a KEYBODY.txt file and a URLBODY.txt file for use with SpamCheck, in addition to tweaks that have been done to the SpamCheck ini file.
I look for patterns in this order: REVDNS HEADERS SUBJECT MAILFROM HELO BODY
Outside of DNS tests, my top reliable tests that I think I have are (not necessarily in order): SURBL (body filter of SPAMCOP DB) KEYSUBJECT (strings of words frequently seen in the subject line) SPAMCHECK GRAYFILTER3 (REVDNS, HEADERS, HELO) GRAYFILTER2 (MAILFROM) SUBJECTSTARTSIS (special characters and other letters generally only seen at the start of a spam subject line) DOTTEDWORDSSUBJECT (strings containing periods where there is generally none) DASHEDWORDSSUBJECT (strings containing dashes where there is generally none) UNDERWORDSSUBJECT (strings containing underscores where there is generally none) GRAYSTRINGMAILFROM (strings often seen in spam mail from)
John Tolmachoff Engineer/Consultant/Owner eServices For You
-----Original Message-----
This is perhaps a bit of a philosophical question as well as a practical one.
I have users sending me back mail that did not get trapped as SPAM which it obviously is. Now when I look it up some of this stuff scores really low (like 20 to 50% of the tag weight). It may not be on any blacklist, it may have minimal text (mostly downloaded pictures) and so I do not catch it. I see that I have a few options
1) Blacklist it by sender but that is probably mostly a waste of time since the sender gets spoofed and changes 2) Do nothing and hope that it appears on more DNS tests so that it will trip more test and then get caught (not a great option) 3) Consider blacklisting the IP but that may not be possible if it is a major e-mail server or may not be possible if it is a zombie 4) Look for specific words/phrases in the body, subject etc and try filtering on that 5) Something else, anything else??
It seems to me that these are my options and none of them seem really definitive. Now maybe I am looking for something that doesn’t exist but I thought I would ask here what others do.
Any suggestions, thoughts etc would be appreciated.
Thanx
Goran Jovanovic The LAN Shoppe
|
<<image001.gif>>
