From: "Rob McEwen" <[EMAIL PROTECTED]>
> Jdow said:
> >>"I have found, in general, that whitelisting mailing lists
> >>is not a very good idea" ... "I also find spams appear
> >>on unmoderated Yahoo Groups." ... "a blanket white list of
> >>the sort you propose would likely turn me white with anger"...
>
> Thanks for the reply... but that is why I said in my original post:
You did not say it forcefully enough. So I amplified it. {^_-}
> >>"but without whitelisting other real spam"
>
> Also, I'm more worried about SURBL (& other URI checker) hits on these
than
> rules hits.
I don't get SURBL hits on them.
> Still, do you find such spam coming from those lists which are 100%
opt-in?
> If Yahoo 100% opt-in?
Yahoo is 100% request to join and jump through hoops style opt-in with
forgery protections. There are still times idiots try to launch spam
to the groups.
LKML is also 100% request to join and jump through hoops style opt-in
with forgery protections. It still gets a trifle too much spam for my
tastes. (It takes a special kind of idiot, though, to spam THAT list.)
> For the spam from Yahoo, is there a pattern? For example, I find that the
> greatest risk for FPs are those instances where the list saves up a day's
> worth of posts and then sends all of it in one e-mail.
Nope.... Well, yes there is. Each list's spams are different from
other lists. (What was really odd lately is a cretin joined several
ham radio related "moderator has to approve your joining" lists and
advertised for communications technicians to work in Bangalore. What
is really more odd yet is that I think I know which company in
Minnesota is looking for those employees. (A friend terminated his
relationship with the company by showing spread-sheets to the upper
management that showed their plans to offshore to Bangalore would
cost more than remaining in Minneapolis. The CFO, whose wife is from
Bangalore, was hardly amused.))
> Therefore, maybe a rule which considered ALL of the following would work:
>
> (1) sending server's IP
> (2) MAILFROM
> (3) size of the e-mail (maybe not including attachments), and
> (4) > X number of e-mail addresses found in the body of the message.
>
> Perhaps this kind of rule could whitelist the messages at highest risk of
> being a FP message without whitelisting the occasional list spam?
I do not white list any list servers. They feed through the spam filters
like anything else. I must have a magic set of filters. Aside from the
mentioned exceptions, chiefly LKML, I do not get false positives, from
lists or not.
The trick for you, I suspect, is to look into which rules are the
ones triggering on the lists. Look for a pattern with it. Maybe you
need to trim back a rule set or two. I do not use the most aggressive
SARE rule sets. I use the set one down from most aggressive. I have
also built a small compendium of custom rules that are probably unique
to my needs. The brought me down from about 1% missed spam and a few
FPs a day down to what I have now, almost perfect.
{^_^}
