I share your pain! We've been live with Declude and HOLD actions for about a week, and I've been beavering away at building our whitelist for 2 weeks.
In a nutshell, I'm building the whitelist because I want to keep my SPAMCOP HOLD action (and a few others). I've established with our team that going to a pure weighted system is probably in our future. I've added in 13 domain whitelists because SPAMCOP and OSS list DartMail.com; heck, I used to manually blacklist flow-whatever. I haven't checked yet whether we are getting actual spam or just mailing lists from DartMail.com, so I haven't whitelisted the HELO instead. Anybody else have a view to share on what they are getting from DartMail? The thing I really hate about whitelisting is that a piece of spam gets an express ride to our mailboxes if the spammer (or the next Hybris virus) fakes a "from" address on my whitelist. A nifty feature would be to have a whitelist count against a specific test; but I suspect that Scott would instead council going with a pure weighted system. A variation on that feature, to counteract the fake "from" address, would be to whitelist a combination of the current whitelist style plus a source, e.g. WHITELIST FROM hotmail.com WHEN REVDNS ENDSWITH hotmail.com OTOH, Scott's been keeping mum about the future of filtering; I suspect that my suggestions could be "user driven" if he implements regular expressions (hint, hint). Andrew Colbeck Technical Specialist IT Department --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.