Hi Scott and all, We added a test to SpamManager that has produced some really interesting results.
What we are doing is to track the 2000 (user configurable) most recent spammer IP addresses. The list is maintained as an MRU style list (sorted with the most recent at the top). If incoming messages reach a user defined score, the IP address of the spammer is added to the list. As part of our testing procedure for our own lists, we validate the results of our spam trap accounts and internal email accounts against most of the public DNS lookup databases and the 3 we subscribe to mostly to determine their weighting. Prior to implementing this test, roughly 40% of spam we received also got hits from one or more of the DNS lookup databases with SpamCop having the best results (false positives ignored). Here is what we found. After about 3 weeks of data collection, only about 1 in 400 incoming spams is identified by a DNS lookup, and NOT on the list of the 2000 most recent spammers. Also, of all the spams we receive on all accounts, about 43% are on the recent spammer list, meaning that almost half of the spams we receive are from senders that have spammed us before. In analyzing this data, we found that spam trap accounts that were set up at the same time, and use the same methods, have a totally different mailing list distribution after a couple of months. This analysis supports our supposition that a locally maintained list of spammers is going to be a lot more accurate than some centrally maintained DNS lookup database. Also we routinely get lots of spam reported to us that we have never seen, also indicating that spam mailing lists evolve into lists that tend to be very unique, and that a few originators are responsible for a majority of spam for each account. I was thinking that it would probably be a relatively simple matter to add such a test in a future version of declude. If an incoming message reached a certain weight, it could be added to a recent spammer list. This list could be checked along with other internal tests _before_ DNS tests are performed, and this could push a weighting up high enough that external DNS lookups could be skipped. The effect of this is that by using a individualized IP address scheme, processing time per message could be greatly reduced resulting in less resource problems, and faster delivery times. Anyway, I thought this would make an interesting topic for discussion. Brian Milburn --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
