On 3/6/2005 2:58 AM, Kelson Vibber wrote: > A rather extreme example would be the series of rules that targeted mail > programs that spammers rarely used -- things like Pine, Mutt, Mozilla, etc.
I know you said that this is an extreme example, but it's also a good one on a couple of different levels. Verifiable metrics are the only thing that can be used, and good ones are hard to find given the current state of SMTP and even management levels. But, compare this to something like scoring against TLS encryption strength. Spammers are motivated to send as fast as possible, and strong encryption is counter-productive to that mission (increasingly so), and they can't fake it because it can be validated by a trusted relay. So even thnough some percent will FP on this (eg, malware sending through a local submission might get TLS from their local relay), it hits the right notes, and is therefore useful. That's all I'm saying: I disagree with the point slightly, which is that simple tests may not have proven useful, but verifiable attributes can be useful, particularly if there are more of them. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
