For targeting the 419 and Lottery scams, I've had good luck using aMINWEIGHTTOFAIL to target these.
In my case 4 or more tendancies of 419/Lottery scams must happen before weight is added.
I have very, very few false positives on these tests (0 in the last 2 1/2 months)and can weight them accordingly.
I have posted my multiline 419 and lottery filters on my website. They do run lots of body test and a couple of other tests and hence can be CPU extensive.
----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, February 12, 2005 3:11 PM
Subject: [Declude.JunkMail] Thoughts on Filtering/Whitelisting
Hi all,
I have a Nigerian SCAM filter (from Kami) which has a test for
solicitation of an offer
and weights it at 20.
Now it turns out that Scotia Capital has a disclaimer on all their outgoing e-mail with that phrase in it. So I see that I have a couple of options and I am not really sure what would be best.
1) I could remove the phrase from the Nigerian filter. This would solve the Scotia Capital problem but perhaps let through Nigerian scam letters.
2) Leave the filter in but credit a HELO -20 CONTAINS ScotiaCapital.com
3) Create a global whitelist that all my domains would look at and put @ScotiaCapital.com in the whitelist file. Obviously this would open my domains up to spoofed e-mail/spam
4) I suppose I could whitelist the IP address but that would leave me managing IP addresses and if they changed then my whitelisting would break.
I would be tempted to implement #1 as it is simple but I could let unknown amounts of SPAM through based on that phrase.
#2 looks good and this process could be extended to other domains that are mis-configured and fail HELOBOGUS etc.
#3 will allow me to start applying "whitelist" requests from one domain to all domains if they are legitimate requests. There is a government list that already is in 2 domain's whitelists as both are accountants.
#4 is not very appealing to me as the IP can change at any time
So does anyone have another way to do this or would you pick options 1, 2, 3, or 4 and why.
Thanx
Goran Jovanovic
The LAN Shoppe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
