I was wondering about things like this. As I understand it, each of the rules are scored individually based on how many times they occur in the corpus. Are the rules combined in anyway.
What I'm saying is, shouldn't seeing an unsubscribe in an email count a whole lot less if the header isn't forged. I don't quite know how this could be done, but should there be something like a faked header threshold and really concentrate on writing rules that mark a header as bad, or is in one of the blackhole lists, or razor then adjust the other scores accordingly. In good header mode, cut the body scores in half or something like that. Mailing lists like the New York Times or Lockergnome might have lots of spammy things in the body, but there doesn't seem to be any reason the headers should look forged. Maybe something like how spamcop finds chain errors in the received headers. If they still have screwy thing in the header, then oh well, that's what the whilelists are for. And since I'm in wouldn't it be nice mode, a cool long term goal would be to have some sort of self adjusting going on and a feedback mode. If something is a false positive, you can feed it into a command which starts to adjust your scores accordingly based on what sorts of things match and creates a local adjustment file. It would be nice too if there was a better way to feed missed spams in too, something like the -r mode submits something to Razor. I would expect that as spammers get wise to the filters, the mutations will be faster, so it would be cool if the filters could adapt, much like new viruses have new anti-virus files to download. Kerry. Jason wrote: > I know that SA detects for variations on unsubscribe but it could do a > whole lot more. Of course that steps on legit lists the more it tightens > up. > > My thought is the majority of good mailing lists come through with the > unsubscribe note and either... > > 1. Contain the proper headers for removal in the message. > 2. The domain of the unsubscribe email address matches in either the to > or the from of the message (maybe CC in some cases). > > Would it be worth it to look more closely for unsuscribes and then compare > that to where the message came from/sent to? > > Just wondering if thats a good idea. > > Jason Portwood > [EMAIL PROTECTED] > > > > > > > > > --__--__-- _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
