On Monday, June 14, 2004, 12:33:24 AM, Matt wrote: M> Pete,
M> So would the Message-ID produce a hit if it was in the body of a M> message? The reason why I ask is because I'm concerned about the M> possibility of legitimate servers getting tagged with Experimental and M> how that plays into my system. It would if it were quoted exactly like a header - which almost never happens - and if it did then it would most certainly have to be a technical discussion about this type of header - such lists that discuss spam should already be white-listed by the subscribers due to other possible matches in their systems. (at least that is best practice). In any case this rule and the others that we code are designed never to match any kind of legitimate email - Unless they are coded specifically for that purpose as white rules. It's possible for us to err - but we work really hard to avoid that. M> Am I also to assume that you have some protections in place to protect M> from bounce messages from Joe-Jobs getting a server listed in M> Experimental? I have definitely seen some of these where legitimate M> bounces were tagged with Experimental, and I'm guessing this was the M> result of spam being relayed or bounced. If a bounce gets tagged it is probably because the bounce message itself has matching content - most likely a subject line. We've considered this might be an issue - but there is really nothing practical that can be done about it on a global level (since any rules to mitigate this would be highly specific to the system receiving the bounces). Also, we've seen that the overwhelming majority (all as far as we can tell) of these messages are bogus anyway since their content and their source data is not only forged but usually heavily modified by the server doing the bounce... for example, virus rejections from forging viruses etc. In the current context I'd bet the majority of bounces that are matching subjects since that is a commonly quoted element in a bounce message. The majority of experimental rules that get coded are added due to a spam hitting our spamtraps. We are careful to watch for bounce messages, delivery reports, virus trap reports and so-forth. We almost never take an IP rule from a user submitted spam unless we can match it with at least two other sources such as SBL + spamcop or something similar. (User submitted spam is considered insecure and potentially hostile.) When we do tag a legitimate server (which happens on occasion) the offending IP rule is removed permanently on the first report. Any rule such removed prevents the rule from being added by default. Over time we have already blocked the addition of most legitimate servers that might get tagged in this way. (In any case, IP rules are not our focus - rather they are just another component of our rulebase that helps to expand the effect of a captured spam.) --- One interesting thing we do take from joe-job bounces though is subject lines and occasionally content if it is included in the bounce. In these cases we always know that we are looking at a bounce. For example, if we get a bounce of a snake-oil spam that contains new obfuscated forms of drug names then we will take that opportunity to code rules for those obfuscation forms. - no sense wasting data. In this case the source is completely ignored. None of our rules are currently added by an automated system. Rather, all of our rules are currently added by human review - occasionally suggested by automated systems. This will remain the design of our process with some heavily restricted exceptions in the future. While it is possible for us to make a mistake, it is not possible for any "grand automated mistakes" to occur since every change is at least managed by some human trained to understand the content they are seeing - and with extremely rare exceptions each change is made one rule at a time. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html