Seems to me that coming up with rules to match on multiple received lines would be the key... Although it's still forgeable you can probably do quite a bit of analysis on it, such as it having to go through two of ebays servers for an ebay email, and the dates/etc.
These rules could be even more powerful when combined with local configuration. i.e. if you have a single local mail server, you might say "email from ebay has to go through two ebay servers, and the server right after ebay has to be the last one, and it has to be ours". Not sure how you'd configure that reasonably though. Or more simply - "traversing received from most recent to latest must start with local servers (if any) and then pass through ebay servers" for ebay mailings. Since the last received line can't reasonably be forged, this would be hard to get past. It wouldn't be as high a score as whitelisting, but it certainly could help the GA based scores. -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: [EMAIL PROTECTED] University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 > -----Original Message----- > From: Michael Moncur [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 15, 2002 7:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] Weird false negative... > > > > I think the 60_whitelist.cf file really needs to go away. Forged > > @ebay.com, > > @paypal.com, and @amazon.com addresses are becoming all too > common in > > spam... > > Or maybe there's a way to whitelist on Received: headers > rather than From: > headers? I know these can be forged too, but I doubt spammers bother. > > -- > michael moncur mgm at starlingtech.com > http://www.starlingtech.com/ > "My sources are unreliable, but > their information is fascinating." > -- Ashleigh Brilliant > > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download > mirrors. We supply > the hardware. You get the recognition. Email Us: > [EMAIL PROTECTED] > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
