On Sun, 7 Jul 2002, Andrew Kohlsmith wrote: > > There are really only two ideal spam indicators: > > > > (1) Who sent it. > > (2) What proportion of the people who got it, didn't want it. > > > > Unfortunately there's no way to directly apply either of those criteria. > > Not true, and you just gave me an idea.
"Not true" how? There's no way to reliably identify the sender of a spam -- if you really can identify the sender, chances are it's not spam -- and until after it's been received you can't know who wanted it ... > For both the ISP I help at and also the company who pays my bills there > is a large amount of spam which is sent to a large number of people at > the same domain. Now I know SA has tests for "similar" email addresses > but IIRC it only checks the user part of the address [...] -- perhaps > another test that that checks the other end? There's SUSPICIOUS_RECIPS, which checks for the same right-hand-sides, and VERY_SUSP_RECIPS which checks for similar left-hand-sides, and then the CC versions of both of those. SUSPICIOUS_RECIPS actually has a negative score in 2.31, but SUSPICIOUS_CC_RECIPS is a fairly high positive. Lately I've seen some spam that mixes the recipients to avoid the VERY_SUSP* rules, e.g. I got one that was To: bart@..., dan@..., barts@..., dave@..., bert@..., doug@... > OT: is it possible to add a configuration option which lists the domain > mailservers and their IPs? And add a test which scores rather highly > for mail claiming to come from domain.dom but which isn't actually from > one of the mailservers for domain.dom? It would be possible to add such a test; but it's pretty common to have different servers for inbound and outbound mail, and also pretty common (ever since the IP space started getting parceled out to ISPs instead of directly to domain registrants) for reverse lookups to be wrong. Further, with the advent of DSL mailboxes and outsourced mail from providers such as CriticalPath, it's not uncommon for a legitmate From: address to have almost nothing to do with the mail servers that delivered the mail. (For example, my home mail says it's from brasslantern.com, but gets delivered through servers at my unrelated DSL ISP.) So it might be a pretty effective *non-spam* indicator if you could track the sender backwards, but it wouldn't be a very good spam indicator if you could not. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
