On Wed, 16 Jan 2008, Matt Kettler wrote:
>Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Matt, yes this is correct, however in this particular case "nonspam" is
perhaps a bit broad. It's been my experience that these almost always
occur in mass marketing ham, not person-to-person ham.
Perhaps I'm being :) pedantic, but I do feel it's a useful distinction,
mainly depending on what OTHER tools one can deploy.
Jason, three potentially useful tactics are (listed in order of greatest
ease-of-implementation and lowest risk):
- use IP to Nation tests
- apply John Rudd's Botnet algorithm (fantastic results!)
- skip list specific IP ranges, kill anything else on sight, sort out FPs
later
Personally, I'm killing on sight, applying a bonus for nation, and using
John's Botnet algorithm as part of my False Positives Hunting tool. Any
detected FP-ing IP blocks are then added to the recipient's IP or domain
skip list.
The main reason for that aggressive stance is that spammed raw IP URLs are
often malware distribution points. A quick poll of my users produced
complete agreement that the risk to non-sophisticated users is so high, that
a 1-7 day delay is acceptable, given that these almost always occur in
non-business marketing junk.
It really boils down to your userbase and your available tools.
- "Chip"
