On Thursday, February 3, 2005, 10:24:31 PM, William wrote: WVH> Pete,
WVH> Do you have a list of IP addresses or networks that I can whitelist in my WVH> anti-spam filters for any messages that may originate from you or the WVH> mailing list regarding Sniffer/SortMonster? You should be safe by grabbing the IP out of the headers from this list. They should not change in the short term. WVH> I used to whitelist entire domains by domain name, but am finding that far WVH> too many spams are forging legit domains to the point where that really WVH> can't be counted on. In fact, I very well may have to get rid of the WVH> whitelisting of addresses altogether, as I've noticed that spammers are now WVH> using relatively well-known return addresses (mostly that of airlines, WVH> travel agencies, popular mailing lists, etc.) to get by spam filters, WVH> knowing that those addresses are highly apt to be whitelisted. Since address WVH> headers are so easy to forge, whitelisting by IP address is about the only WVH> verifiable thing in the headers that I can count on for whitelisting WVH> purposes anymore. When we create white rules we almost always use a combination of features. It's really the only way - end even then we're always prepared to change the features in case a white rule is found out and exploited. All white rules are almost exclusively bound to single systems also -- since any global white rules would be targets just asking for exploitation. WVH> BTW, I have not noticed any uptick in porn spams slipping by Sniffer WVH> filters. However, using porn in the subject line of a recent mailing to the WVH> list did trigger some of my own filters. :-) We can't be quite so strict :-) but the uptick is probably real on a case by case basis. The new campaigns from the porn spammers have had a tendency to hit a particular system very hard before moving on. If we're not early in the rotation then they might get through - - this is purely a matter of timing. Plus, we know from monitoring the alterations they are making that they are watching our filters and using them to look for variations that will pass -- in the same way they do with SA and other systems. Big money in porn - so they spend some effort on it. Our response is to make rules as quickly as possible and to reverse engineer any scripting they are using so we can generate abstract rules... that often holds them off for a bit, but they are always back eventually. Best, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
