From: Thomas A. M. <to...@xa...> - 2003-04-22 01:09:27
|
> Why not use razor? > > Write a new filter type, which returns only the URLs from the mail > (actually, you might restrict that to the last 2 or 3 components of the > hostname to get rid of tracking numbers in the URL). Each URL is > checked separately, just like the checksums for each part in a multipart > MIME message are now. You might want to consider treating the set of url's as a pattern to be used in the matching, when they are blasting out 1000's of emails they may change some things but the basic functionality of the page will remain constant. This was when cnn.com if mentioned then anything with cnn.com will not be classified as spam, just the mail with the set or maybe a subset of url's that have been reported. A subset may be needed, because a good spam source would change things as it goes... so they could all have references to 1 of 100 clean sites.. Yes a new type may be needed, since we're not hashing a portion of the message but looking at specific triggers (http:// ?) we could also consider converting dotted ip and hex ip and domains so they can be detected together. ----- Original Message ----- From: "Peter J. Holzer" <hj...@hj...> To: <raz...@li...> Sent: Monday, April 21, 2003 2:47 PM Subject: Re: [Razor-users] Re: [SAdev] New blacklisting ideas based on what smam links to |