> Don't 'Automatically' do anythign! There will be exploits and people > will find them. You need an example? Think Microsoft. If there was > no Microsoft there'd be no viruses. > > And what if a virus is behind the the server? Then you might whitelist > Virus and other evil addresses. Example: I could send an email as you > from your server/pc to [EMAIL PROTECTED] and then I could send > Out millions of emails right under your nose. 'I' being a virus.
Whitelists are commonly used in commercial spam prevention systems. They are considered safer then blacklists because if somebody behind the wall has a virus and starts sending out e-mails you are letting more viruses through -- and not blocking domains potentially legitimate e-mails are coming from. The idea is that it is much worse to block a legitimate e-mail then to let a spam through. Think about it. It makes a lot of sense. > Although all fileds are easily spoofed, then what? > What about emails sent to a user where they are in > the Envelope-to: header? There will be some that get through but the idea is to keep layered security. It's called stacking. Basically if you can prove there is probability of 1 spam filter killing 60% of spam and another spam filter of killing 40% of spam, there will be something like an 80% or 90% success ratio. The number goes up the more filters you send. Most of the spams I see get through spam assassin have no To: [EMAIL PROTECTED] > > 5. When all is said and done don't delete anything -- have > > feedback and look to see what is common in spams which get > > through and what is common in good mail that doesn't. > > > > What about the .exe or .pif or .src or .bat etc... file's? > Who in the world needs to email those to you? Why not delete > (or at least bounce them although then you may get mail loops) > those so that they don't infect your system from a different folder? That is a good idea but unfortantely there are users who e-mail .exe files (and similar). I would recommend implementing this only if you inform your users of server policy and you really need the extra security. For the most part as soon as one virus comes out you can grab some of the text of what's in it to increase the probability of catching it. Of course, there are other ways to do things. There are things known as naive bayesian filters which will significantly increase the efficiency of the spam filter. And, again, stacking, use spamassasin with any other free spam filter you can get. Remember it is important to throw data into Quarantined folders. That way if a user doesn't get an e-mail they can be told, "It's not our fault. We put it in the suspicious / possible virus folder and you didn't look through it before deleting the contents to make sure nobody accidentally got sent there." The other thing to mention, is if you create your own spam filter it will be by definition much more efficient then a publicly available filter. Spammers know spam assasin exists and grab a copy to send and resend spams until they know the spams will go through. Just don't release the code to your spam filter. The other thing you can do is use your whitelist to file all e-mails. Nothing that comes in my Inbox is usually important -- because everyone who is important is in another folder. So I can just concentrate on looking for new emails under subfolder Important Items -- and not inbox. I digress though. E-mail me privately if you want some papers on spam filters. I've got a dozen or so kicking around on my hard drive about the math behind spam filters and comparisons of various spam filters. -Dan -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
