On Wed, Jul 27, 2005 at 08:15:37PM +0200, Ruud H.G. van Tol wrote:
Lloyd Standish schreef:
I am working to replace my current challenge-response system
with a procmail-powered whitelist scheme without challenges.
This will require daily review of a log of mails from
non-whitelisted addresses, and the temptation is to blacklist
the sender address of every message identified positively as
spam.
What would you define as the "sender address"?
You could go for the same triple as greylisting uses:
{SERVER-IP, SMTP-MAIL-FROM (=Sender), SMTP-RCPT-TO
(=Recipient)}
and treat every new triple as a potential spammer. Deliver a
report of a stalled message to the Recipient(s) and let them
click on Block / Maybe OK / Accept where Block will insert the
triple into the blocklist, Accept will insert the triple into the
greenlist and deliver the message, and Maybe OK will only deliver
the message but not change any list.
That's a fine approach, and one I have kept at the ready for
the case where I might need it. But for the last 1.5 years I
have done really quite well with just what Lloyd spoke about
above, using only the Return-Path address. I keep my own address
out of there, because that's one thing the spammers (and worms)
love to forge. But otherwise, this method does work.
My whitelists build themselves from new, clean mail that gets
through my labyrinth without any blemishes whatever; or from
mail that I manually send through the list-builder with one
command-line alias. I vet "candidates" with a script I run
a few times a week when I think about it. Usually there are
anywhere from zero to a half-dozen names to view, to which I use
one keystroke to either accept (activate in the whitelist); skip
temporarily (might want to think about who that really was, in case
I had a false negative recently, which btw I'm not having much of
at all these days); or delete. My whitelisted addresses are
hashed as filenames, rather than collected *inside* files.
It's a very nice, easy, and easy-to-manipulate system. They
self-expire after, I think it is (I haven't looked at the cron job
in a while) 90 days if they haven't been touched (/usr/bin/touch,
not "tactile-" touched). I also have a fourth keystroke choice
to populate the address "permanently," which, for me, means for
one year.
Dallman
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail