Hi Jonathan: That's exactly the problem. These particular rules were blocking Google mail servers - NOT specific content.
Obviously, as already discussed in the past, it IS necessary that these IP-based blocks are put under a higher scrutiny. I'm not suggesting that the "automatic" bots should be disabled, I'm just proposing that "intelligence" must be incorporated that will use RevDNS and WHOIS to identify POSSIBLY undesirable blocks and to flag those for human review by Sniffer personnel so that they don't end up poisoning mail severs of all their clients. I understand that occasionally some innocent IP can be added accidentally and there is little to avoid that -- but for the top 50 email domains, extra security/intelligence should be in place so that we don't suddenly reject huge volumes of legitimate mail by blocking hotmail, aol, yahoo, google or similar providers! These kind of errors can be caught much earlier. Example - if a "IP rules qualifier" script would do a simple DNS lookup to validate the IP address through SPF and if the RevDNS indicates one of those top 50 email domains, then we can be virtually certain that this IP address should not be blocked. Instead other (= content) rules must be used to block the specific Spam. If the script would also print a column of WHOIS and RevDNS information and sorts it by domain, then it will be very easy for a human to review that list and zero in on a few "worrysome" IP rules to qualify if they should remain in place or need to be yanked in a hurry! Best Regards, Andy -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Hickman Sent: Tuesday, April 03, 2007 5:00 PM To: Message Sniffer Community Subject: [sniffer] Re: How to incorporate a white list? This has been suggested in this past; however, I forgot the reason for not doing so. Personally, if someone is spamming, I do not care about the source. I would want it to stop. IP blocking is dangerous, and content often seems the most effective method of blocking spam. If the blocks are based on content rather than IP, it does not matter who is sending it because it should be blocked because it appears to be spam. If it is blocked based on IP, the potential for false positives increases greatly as soon as people become overzealous. Jonathan Hickman ----- Original Message ----- From: "Andy Schmidt" <[EMAIL PROTECTED]> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Tuesday, April 03, 2007 12:40 PM Subject: [sniffer] Re: How to incorporate a white list? > Hi, > > Unless I'm mistaken, rule 1370762 was targeting the same address range. > > If I may make a suggestion: > Before the spam-trap robots are allowed to block major, well-known and > easily recognizable email providers, how about the robot script pulls a > WHOIS and a Reverse DNS and runs that data against a table of "can't block" > entities - or at least spits those out for "human review". > > If that can't be done, then how about the robots issue an hourly report of > "suspect" IPs. A no-brainer script can pull matching WHOIS and RevDNS for > quick human review and overriding (if necessary). > > I would rather those obvious bad rules are caught before or very quickly > after they go live. There is always some delay before I get first reports > until I realize that this is a "real" problem. Then I have to try to get > headers from end-users before I can dig into logs... Hours and hours pass > (especially if it's overnight events). In the meantime the problem escalates > all around me. > > Thanks, > Andy > > -----Original Message----- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Tuesday, April 03, 2007 11:09 AM > To: Message Sniffer Community > Subject: [sniffer] Re: How to incorporate a white list? > > Hello Andy, > > Tuesday, April 3, 2007, 9:36:17 AM, you wrote: > > > Hi Phil, > > > Yes, it seems as if some Sniffer rules, e.g., 1367683, is broadly > targeting > > Google's IPs. > > > I've submitted 3 false positive reports since last night, at least two of > > them were Google users, one located in the U.S. and the other in the > > Netherlands! > > This IP rule has been pulled. > > FP processing will happen shortly. > > _M > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
