> -----Messaggio originale-----
> Da: Marc Perkel [mailto:marc@perkel.com]
>
> A little play on words spoofing "A plan for spam".
>
> I have been testing a new technique for detecting ham that is working
> quite well. It's nearly (or possibly at) 100% accurate in that what it
> identifies is ham.
>
> First of all you get a verified RDNS lookup on the host. Verified means
> that you do a reverse lookup and then look up the host name to see if
> it
> resolves to the same IP that you looked up. That's something spammers
> can't spoof. Then you separate the name at the registrar barrier and
> look up that name from a list of host domains that never send spam. For
> example, all hosts that end in apache.org are considered spam.
>
> This idea is different that an IP based whitelist in that you are
> really
> whitelisting based on a list of blessed host names rather than just
> unnamed IP addresses.
>
> Also - a dynamic whitelist could be generated in the fly if someone
> could write a custom DNS server. Here's how it would work. You send a
> request about an IP address. If the server doesn't already know the IP
> then it does a reverse DNS to get the name and them looks up the name
> to
> verify the name resolves to the same IP address. If it does you then
> break the name at the registrar barrier and do a lookup to see if the
> name is on the blessed list. If it is you return a cude indicating it
> is
> whitelisted and you cache the IP of the lookup.
>
> The master list of blessed host names could be dynamically generated by
> some sort of automated reputation system where ham and spam are
> reported
> by IP address from some trusted sources. Those domains that are
> consistently producing nothing but ham make the list.
>
> The advantage of this is increased accuracy and lower system load.
> Domains that are whitelisted need not be further tested and can be
> instantly classified as ham and fed into the bayes learner. This should
> greatly reduce false positives.
>
> Who likes this idea?


This is basically a whitelist based on negative results from the BOTNET
plugin.

Which means you are going to reduce FPs when the botnet plugin says it's not
spam. Now, the botnet plugin (due to its high default scoring) is one of the
most important FP sources, thereby, when it doesn't says 'this is spam',
there are really few FPs left by other rules.

You are, however, going to increase FNs a lot: many spam ships from
legitimate servers (perhaps hacked).

In summary: I personally don't find this idea useful. You may prove me
wrong, anyway...

Giampaolo