> How many have you seen? I suppose it's probably our fault; spammers are > probably forging those domains precisely to bypass SA. It might > well be time to > remove 60_whitelist.cf
The only one I've seen that might have been intended to deceive SA was one with an @amazon.com address for no good reason. What I've mostly seen are a couple of ebay-related spams that use @ebay.com addresses to look more legitimate, and frequent paypal trojan messages (copies of paypal newsletters with URLs redirected to a server that collects passwords) using @paypal.com addresses to look like the real thing. The main reason whitelisting seems bad right now is the last case - whitelisting messages like that might actually cost someone money, not just annoy them. Since this sort of thing is becoming common, I've started using whitelist_to instead for things like PayPal and Ameritrade, using a special address for each. (I tell PayPal my address is [EMAIL PROTECTED], and then whitelist_to that address since spammers have no way of knowing that address.) Here's an idea: keep the whitelist but make a separate default_whitelist_from directive that acts the same as whitelist_from but can have its own score, and use default_whitelist_from in 60_whitelist.cf. That way (a) anyone can turn off the default whitelist with a single score entry in a preference file, and (b) spam reports will refer to the "default whitelist" so it's easy to diagnose when cases like this happen. -- michael moncur mgm at starlingtech.com http://www.starlingtech.com/ "Efficiency is intelligent laziness." -- David Dunham _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk