Re: [Exim] Opinions sought: Most effective spam reductiontec…

Top Pagina
Delete this message
Reply to this message
Auteur: Jethro R Binks
Datum:  
Aan: exim-users
Onderwerp: Re: [Exim] Opinions sought: Most effective spam reductiontechniques
On Tue, 17 Aug 2004, David Woodhouse wrote:

> On Tue, 2004-08-17 at 13:01 +0100, warren, anthony wrote:
> > Hi all,
> >
> > After some testing with SMTP sender verify callouts and getting mixed
> > results from that method, I am keen to explore other Spam reduction
> > techniques.
> >
> > My organisation is concerned with the risk of false positives. For those
> > that use spam reduction techniques - how do you cope with the risk of FP's ?
>
> I throw out all messages without a Message-Id: header. RFC2822 says you
> SHOULD have one, and a lot of crap lacks it, especially virus messages.
> There are some false positives, but only from broken software. It's
> always fixable.


This caught my eye, because it was brought to my attention just recently
that Outlook 2003 stopped adding a Message-ID header to Internet email.

[According to reports, it was allegedly because of security concerns
raised by people that the Message-ID: header included the real hostname of
the machine and that's a risk. Or some such nonsense (what about the
Received: headers then?).]

Anyway, aside from issues like an MUA like Outlook should be submitting
mail to the Internet through an MSA which should be fixing up a lack of
Message-ID: header, it seems from what you say David that you'd be
refusing mail from any user of the relevant Outlook version.

While I agree that the RFC does specify that there SHOULD be a Message-ID:
header, it is not strictly a violation to not have one. I also think that
while "no Message-ID: header" may be used as an indicator of spam, it is
not reliable enough on its own, and should be used in combination with
other factors. [In my case recently, one of my users' mail was being
rejected by one site as they considered the lack of a Message-ID: header
to be a sure sign of spam, which I disputed].

Going back the original poster's question about fear of false positives -
I personally prefer the workload of dealing with the occasional false
positives (for many reasons) than that of dealing with all the resultant
crud of not having the protections in place that I do (many of which David
mentions). At an organisational level, I spend far less time as an
individual dealing with those FPs than the cumulative total of the rest of
the organisation's personnel would in dealing with what they received
without the measures, so I claim it as a win-win all round.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK