Kami, the only reason I mentioned PayPal to Matt was because I figured he would be tracking FPs regarding his Obfuscation test. The PayPal message in question here did get delivered without user intervention, however, it was not due to PayPal being whitelisted.
I don't like to whitelist anything except "TO" addresses, since anything else that is whitelisted can be abused, including RDNS. Instead, we apply a high enough negative weight to three primary filter tests (HELO, RDNS & MAILFROM) to trusted mailers so that they will generally pass with an acceptable weight and get delivered without user intervention; however, anything sent by a spammer abusing these trusted mailer addresses will still likely get caught because they probably will not pass all three of these primary tests, and will most likely fail other JunkMail tests, as well. When something is whitelisted, no other tests can be run against these messages and they simply get delivered, no matter what. However, if you instead apply a minimal negative weight to multiple tests, forged e-mail will still likely get caught and not delivered. Using PayPal as an example, if you whitelist RDNS, or MailFrom, or HELO, etc., if a spammer happens to forge their messages using any of these, there spam gets delivered, no matter what other tests it might have failed. However, if you instead apply minimal negative weights like: MAILFROM -5 ENDSWITH .paypal.com REVDNS -5 ENDSWIDTH .paypal.com HELO -5 ENDSWITH .paypal.com This give legitimate PayPal e-mail a total negative of -15, which will most likely allow it to be delivered, even if it fail a couple of other tests. However, the likelihood of a spammer being able to successfully meet all three of these criteria is highly unlikely, and even if they did, there are still all of the other spam tests that JunkMail supports that we can run against these messages and still probably block it's delivery. It basically gives a fighting chance against forging spammers who attempt to abuse spam-test whitelists. Just my 2 cents... Bill ----- Original Message ----- From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 14, 2003 6:04 PM Subject: RE: [Declude.JunkMail] OBFUSCATION filter > Bill: > > We have a lot of these well known sites in our whitelist as REVDNS. > > WHITELIST REVDNS .paypal.com > > Paypal has been there for ages, same with eBay, IBM, Oracle, etc. The > REVDNS is almost foolproof way of letting paypal come through without > worrying about anything. > > Regards, > Kami > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Sunday, September 14, 2003 3:44 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > Just an FYI, I've added: > > MAILFROM -7 ENDSWITH paypal.com > > to the "Test Exclusions", as it was flagged by the Obfuscation test. > > Bill > ----- Original Message ----- > From: "Matthew Bramble" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, September 14, 2003 12:27 PM > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > > Thanks Bill. And I've got a few more in me I believe :) > > > > Matt > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
