Pete,
So would the Message-ID produce a hit if it was in the body of a message? The reason why I ask is because I'm concerned about the possibility of legitimate servers getting tagged with Experimental and how that plays into my system.
Am I also to assume that you have some protections in place to protect from bounce messages from Joe-Jobs getting a server listed in Experimental? I have definitely seen some of these where legitimate bounces were tagged with Experimental, and I'm guessing this was the result of spam being relayed or bounced.
Matt
Pete McNeil wrote:
On Sunday, June 13, 2004, 11:49:21 PM, Matt wrote:
M> Pete,
M> I've been seeing a good deal of Experimental hits on bounce messages, M> primarily with the Nazi spam that has been forging recipients, but I've M> seen these on other messages that seemingly don't have any spam content, M> though most of course do involve spam.
M> I was wondering if this is due to IP's being logged for spamtrap hits M> from these bounces, or if it was due to something else. If these are IP M> related, it would likely be problematic.
There may be a few IPs involved but I suspect it's a new message-id rule we have in place. It seems that the Nazi spam is delivered with a forged qmail header that qmail would never produce. The rule is somewhat broad so we've left it in the experimental group - just in case something about it turns out to be problematic.
Most of the Nazi spam rules are actually coded for known subjects and generalizations of these.
M> And another related question regarding the Nazi spam. Would it be M> possible to move these rules from Experimental to another category such
M> as Malware or General? Personally I have grown accustomed to M> Experimental being a category for rules that are not as reliable and
M> more likely to hit on personal E-mail so I weight it low, on the other
M> hand this Nazi stuff is certainly problematic and I'm hoping that your
M> rules are tight enough to place in another category. I do have a filter
M> that deals with bounce messages from Joe-Jobs by testing for both a
M> Sniffer hit or other content related filter along with indications of a
M> null sender or other sign of a bounce, but I was excluding M> Sniffer-Experimental from this.
It's a close call but I think the rules we have are in the right places - at least for now.
_M
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html