On Wed, 16 Jan 2008, Matt Kettler wrote: >Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Matt, yes this is correct, however in this particular case "nonspam" is perhaps a bit broad. It's been my experience that these almost always occur in mass marketing ham, not person-to-person ham. Perhaps I'm being :) pedantic, but I do feel it's a useful distinction, mainly depending on what OTHER tools one can deploy. Jason, three potentially useful tactics are (listed in order of greatest ease-of-implementation and lowest risk): - use IP to Nation tests - apply John Rudd's Botnet algorithm (fantastic results!) - skip list specific IP ranges, kill anything else on sight, sort out FPs later Personally, I'm killing on sight, applying a bonus for nation, and using John's Botnet algorithm as part of my False Positives Hunting tool. Any detected FP-ing IP blocks are then added to the recipient's IP or domain skip list. The main reason for that aggressive stance is that spammed raw IP URLs are often malware distribution points. A quick poll of my users produced complete agreement that the risk to non-sophisticated users is so high, that a 1-7 day delay is acceptable, given that these almost always occur in non-business marketing junk. It really boils down to your userbase and your available tools. - "Chip"