Hi, I have an idea to discuss here with experts !
What is the main MAIN difference between spam and ham ? ... ... Answer: spam is "one way ticket" and ham is 99.99% "round trip" ! (legit notifications can be "one way ticket" but you can mark them as ham later) What do I mean? you never never answer (or it is really strange) a spam message. Average users, who someone said that are stupid and more stupid when they are in front of a machine, also dont respond to a spammy message. At least if they are marked as spam. So the idea is...in this days where the ratio of spam/ham is about 80% (put the ratio you want but be sure it is high enough) lets start with marking all incomings as spam ! Past days when the ratio of spam/ham was 5% or 10% it was quite logic that the reverse was true. That is, all incomings were ham and we tried with a lot of methods to extract or mark the bad emails! We spent 15 years (up to now) with the Presumption of innocence analogy of "Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law". This approach is wasting a lot of resources because of the high spam/ham ratio! Nowdays its easier to invert the logic! *mark all incomings as spam the first time *check spam folder always *mark as ham....or (here is the relationship with the first question) ...just answer emails to the people you allways comunicates as you always did. Here you round the trip and legitimate the sender ! For this we need a modified version of SA autowhitelist not based on scores but on trusted or answered emails ! Flaws ? False positives....yes, ONLY the first time for each sender! just answer your good mails and they´ll become ham next time. Mails not answered (spam) remains as spam next and next and next ! False negatives...yes, if someone impersonates in the From: as someone trusted by you (phising). But this could be reduced using the same methods as autowhitelist uses keeping in a DB pairs of senders - IPs. Greylists also uses DBs like this. So, what do we have to waste resources on tons of rules, tons of perl code, tons of regex if we know that 80% is spam? lets mark all of them as spam and let this method work! Time to think in a new antispam paradigm ! Cheers