[Declude.JunkMail] Positive attributes (was Test suggestion request for comments...)
Kami: I've been working along similar lines but run into some difficulties. I did succeed in getting a group of managers and team leaders to suggest a list of good words which are often used in correspondence, and are now given negative weight. However, there is an occasional nightmare scenario that goes like this... Salesperson Jones meets a potential client. Sales meeting goes well. Client seriously considering purchase of new system costing more than $10,000. Client sends email from a Yahoo account to Salesperson Jones containing text like this: Very interested in what you described. Please call me at 10 a.m. to discuss purchase. This incoming mail doesn't contain any of our good words, and it comes from a common spam source, has other possible flaws, etc. So it gets tagged as spam and delivery is delayed. The only quick fix we've found is to assign a large negative weight to email addressed to a few in-house accounts. Of course it's not really a fix if they now get a ton of spam. I've suggested a special word that could be distributed to potential new clients for use in sending us email, but the idea has not caught on. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Sunday, December 07, 2003 12:55 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Test suggestion request for comments... Bill.. This goes well along the line of the subject that was discussed a while back and one that could help a great deal. Right now we are concentrating on negative aspects of the email - to minimize FP and even further reduce CPU we should give some attention to some positive aspects as well. If we can identify the positive attributes correctly we can further tighten our filters and be more generous with weighing the negative attributes. A discussion on positive traits could be a good start I second the motion. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, December 07, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Test suggestion request for comments... Scott, you have probably seen requests like this before, however, I think this would be a great way to support most corporate and some ISP e-mail domains with a negative weight based test: HELO RDNS domain match -5 HELO RDNS MAILFROM domain match -10 HELO RDNS domain match IPINMX -10 (yes, IP-in-MX) HELO RDNS MAILFROM domain match IPINMX -15 or ENDALLTESTS I say domain meaning just the last two segments of the FQHN, that portion that is registered with domain registrar. Since all of these tests are already run by Declude, if a bit of logic could be added to support a test like this, I think it could help us get a lot of legitimate mail delivered with fewer held due to FPs. Also, if people feel that the last test above is a very good indicator of legitimate e-mail, then if this test is run first (before all other tests), and there is a match with the last test shown above, and there was variable to ENDALLTESTS (and deliver), then this would also cut down on processing requirements. Thoughts anyone...? Bill --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Positive attributes (was Test suggestion request for comments...)
group of managers and team leaders to suggest a list of good words which are often used in correspondence, Hi Keith: Actually I think what Bill was originally talking about and what I was trying to say was a way to actually credit good servers. Lets say.. - No blacklists - Valid REVDNS - Valid Helo - Valid looking email other attributes that are purely server related. If all valid then one can assign a negative weight to. This would be to credit good servers. Yahoo, Hotmail, etc. are always going to be problematic and I am not much concerned about them. My concern is if we can assign credit to good ones then our other filters can be a little more loosely defined. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Positive attributes (was Test suggestion request for comments...) request for comments...)
And to state the obvious... Giving negative weights to combinations of good server configurations would benefit correspondence from legitimate mail servers that would otherwise get tagged as spam by false positives on content filters, e.g. a joke e-mail with bad words or a newsletter with URLs that contain unnecessary IP addresses or escaped characters. Kami suggested multiple different combinations that could be termed good, which means that a legitimate mail server wouldn't need to be perfect in every way in order to be scored good. My own suggestion is combine the client source and the mail server with some logic. For example, if a message comes to my mail server from a mail server at c-67-160-69-182.client.comcast.net it is very likely to be spam; however if the source is c-67-160-69-182.client.comcast.net and the mail server is sccrmhc13.comcast.net then it likely to be legitimate, even though both sources are likely to be listed in multiple ip4r databases*. * Why? An open proxy or whatever on a consumer broadband network is unlikely to be a valid smtp server, and the whole range is in many blacklists. However, a message that comes from that range through the smtp server at that ISP is likely to be normal consumer mail. Going a little further, a traveller on a laptop as a guest at some random ISP but using his smtp server at his own ISP is also going to look bad, but is not guaranteed spammy. If that guest IP is also in spamcop or some other fluid ip4r database, the balance of tests should push the message over the weight limit. Andrew 8) -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 2:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Positive attributes (was Test suggestion request for comments...) group of managers and team leaders to suggest a list of good words which are often used in correspondence, Hi Keith: Actually I think what Bill was originally talking about and what I was trying to say was a way to actually credit good servers. Lets say.. - No blacklists - Valid REVDNS - Valid Helo - Valid looking email other attributes that are purely server related. If all valid then one can assign a negative weight to. This would be to credit good servers. Yahoo, Hotmail, etc. are always going to be problematic and I am not much concerned about them. My concern is if we can assign credit to good ones then our other filters can be a little more loosely defined. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.