http://bugzilla.spamassassin.org/show_bug.cgi?id=1375
------- Additional Comments From [EMAIL PROTECTED] 2004-03-02 15:00 ------- Re: your comments "If SA has to look up hundreds of legitimate domains to process each message, that will slow down processing too much." if they are including hundreds of links in each message, that alone is a good trigger rule for SA. again, a self defeating attack that i dont think any spammer would use for long. "Spammers can create throwaway domains and host them on DNS servers that are designed to slow down anything that queries them. The distributed nature of DNS only helps to the degree that queries are cached, but spam cam contain variations of host names that will ensure that doesn't help." you can look up the SOA and reference to an RBL of known bad DNS servers (or bad hosting networks in general. eg SOA which points to DNS server in china). since the SOAs are kept in the roots, "deliberately slow dns servers" wont have any effect. a single match would be good enough to bail out on. as for bogus domains, NXDOMAIN comes back fairly quickly. (but if sitefinder ever comes back... ugh.). lots of NXDOMAINs would definitely be another good SA high scoring rule. i do categorically disagree with your assertion that empty link tests are useless. otherwise there is no reason for 99% of rules in SA, because spammers do not always use the same rules and keep changing them. if even one spammer uses that technique, it is enough to justify its existence. (and the fact that false positive on the rule is rather unlikely) IMHO your proposal to interpret images is even worse by several orders of magnitude than DNS lookups, because now SA has to download referenced images and interpret them, which is far more resource intensive than simple SOA queries. there simply is no way to determine if a link is visible or not, anything you check for, spammers would just _always_ link to images to defeat any check you could possibly do for visibility. or they would simply make them visible (but useless). and then all your efforts on this checking are wasted. the empty href check is a simple one and would already be catching spams today. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
