Pete,
I reviewed my Hold range going back to Monday morning and I wasn't able
to find anything out of the ordinary. I also searched my logs from my
URIBL tool that queries SURBL among other things, and I wasn't able to
find any hits for those domains that you pointed out. I guess that I
wasn't affected.
As far as promoting such domains to Sniffer through automated means
goes, I believe that this helps substantiate the need for adding extra
qualifications. For instance, the chances of a 2 letter dot-com domain
being a legitimately taggable spam domain are almost zero. To a lesser
extent the same is true as you add on more characters. Also, it would
be very helpful for such situations and false positives in general if
you were to track long-standing domains that appear in ham and don't add
these automatically by cross checking these blacklists. There are many
different ways to accomplish this. I have found over time that foreign
free E-mail services can get picked up by Sniffer, and because these
services are frequently forged and legitimate traffic is low enough that
people don't often either notice/report false positives, that these
rules stay high in strength and live a very long time. You can in fact
prevent this from happening to a large extent with further validation.
SURBL is subject to false positives on such things, but they expire such
rules using different techniques that prevent them from being long-term
issues, but these cross-checked false positives can have a life of their
own on Sniffer sometimes.
Thanks,
Matt
Pete McNeil wrote:
On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote:
M> Pete,
M> w3.org would be a huge problem because Outlook will insert this in the
M> XML headers of any HTML generated E-mail.
M> If you could give us an idea of when this started and possibly ended,
M> that would help in the process of review.
Indications are that the rule was in our system for only a couple of
hours this morning before we caught what was going on. Many folks
won't have ever seen the rule... though it may still be in surbl.
In fact, all of these rules that we know of followed very much the
same profile. Two of us were working in the rulebase at the time due
to heavy outscatter from a fake ph.d campaign and several new variants
of chatty_watches, chatty_drugs, and druglist.
We're continuing to look for any rules that might have entered our
system this way and we haven't found any new ones since about the time
I wrote my first post on it.
I'm about to run through false positives to see what might have been
reported and remove those.
Hope this helps,
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
