From: Charles Lindsey (chl@clw.cs.man.ac.uk)
Date: Mon Sep 11 2000 - 08:02:33 CDT
In <yl1yys37cx.fsf@windlord.stanford.edu> Russ Allbery <rra@stanford.edu> writes:
>> Can you give me an example of such a cookie? Do they have the syntactic
>> form of an FQDN or an IP address?
>Sure. From my current dynamic spam filter, here's an excellent example:
>NNTP-Posting-Host: !^n=[1k-Y6Rq8'HG]aa3EF<4_ (Encoded at Airnews!)
Now that is real ugly. Can you give us a breakdown?
I think that posting-host should be something that is immediately
recognisable to a human (and also to a machine) - i.e. an FQDN or IP. If
more specific imformation is to be conveyed, then I think a
posting-account is the right thing (that can be in a notation which may only
be understood by the ISP - just so long as it always contains the same
string for the same account). But putting it in a separate posting-account
field means at least that a human can understand what it is there for.
Then you filter on posting-host, or posting-account, or more likely both,
according to what you are trying to achieve.
>The purpose of most NNTP-Posting-Host filtering is to dynamically adjust
>to and start rejecting spam. The way this is done is by using rate
>limiting on particular NNTP-Posting-Host content, generally combined with
>the number of lines in the article to not get false positives from
>off-line readers and similar bursts of posting.
OK, are we talling about filtering at a relaying agent or at a serving
agent? If the latter, then what happens to the stuff coming in faster than
the acceptable rate. Is is dropped, or is it delayed in some manner?
>> And presumably, if you are trying to filter out a particular site, you
>> will first observe what that site's injector currently put in,
>No, it's done automatically by the spam filter without any human
>observation.
No, some human must have written the entry in the spam filter, having
observed that a given site was in the habit of injecting spam, and having
observed what it was putting in its NNTP-Posting-Host field. Or are you
saying that the filter observes all posting-hosts on the network,
discovers which of them have high rates, and constructs the filter
automatically?
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5