Because some spammers are pretty dumb. Not all of course. Addresses are constantly being harvested. If you got a list of half a million addresses, are you going to vet all those? Oft times they'll just blast them out with a botnet and the ones that fail are just collateral damage. I think the goal is usually quantity over quality. Not being a spammer though, i could be wrong. <g>
Also, it may be that the domain wasn't in a blacklist when they botted it but gets put in pretty quickly via razor, pyzor, and various MTAs that report to RBLs. I've seen a dozen or so spam hit or server and w/in 15 - 20 minutes it'll be on someone's RBL. If it works for you, live it up. Those are just my thoughts - others here have a much more informed opinion I expect.... ...Kevin ________________________________________ From: Franck Martin [fmar...@linkedin.com] Sent: Wednesday, July 31, 2013 1:06 PM To: Kevin Miller Cc: Ralf Hildebrandt; <users@spamassassin.apache.org> Subject: Re: Creating new rules On Jul 31, 2013, at 10:08 PM, Kevin Miller <kevin_mil...@ci.juneau.ak.us> wrote: > Problem is, the from adddress is often a "Joe job" - i.e., a forged address, > so the domain mentioned there likely doesn't have anything to do with the > actual source of the mail. It seems to me that if the domain isn't the > actual source of he spam, it can be detrimental to be filtering on it, > particularly if Bayes is learning from it or your MTA auto-reports it to RBLs. > Why would they use a forged domain which is on a blacklist? I think they would tend to use a domain which is well known with good reputation. As well known domains are getting protected, then they have to move to use their own domain, which happens to appear on blacklist... Now as we move to IPv6, reputation will shift from an IP based type reputation, to a domain based type reputation. Unfortunately, spam assassin seems to be lacking some rules. Nevertheless, it does not matter, if it is the right or wrong direction, my question remains: how do I create such a rule?