On Jul 31, 2013, at 10:08 PM, Kevin Miller <kevin_mil...@ci.juneau.ak.us> wrote:

> Problem is, the from adddress is often a "Joe job" - i.e., a forged address, 
> so the domain mentioned there likely doesn't have anything to do with the 
> actual source of the mail.  It seems to me that if the domain isn't the 
> actual source of he spam, it can be detrimental to be filtering on it, 
> particularly if Bayes is learning from it or your MTA auto-reports it to RBLs.
> 

Why would they use a forged domain which is on a blacklist? I think they would 
tend to use a domain which is well known with good reputation. As well known 
domains are getting protected, then they have to move to use their own domain, 
which happens to appear on blacklist...

Now as we move to IPv6, reputation will shift from an IP based type reputation, 
to a domain based type reputation. Unfortunately, spam assassin seems to be 
lacking some rules.

Nevertheless, it does not matter, if it is the right or wrong direction, my 
question remains: how do I create such a rule?

Reply via email to