On Tue, 2011-07-26 at 08:53 -0500, Ace... wrote: > So now, after some serious debate; what consensus conclusions can we draw? > > 1. Do we now think that, in fact, WineHQ is NOT a major source of spam? > It still is a source of spam, though not a huge source. My count, for the last week, says: July 20 - 1 July 21 - 2 July 22 - 4 July 23 - 0 July 24 - 1 July 25 - 3 July 26 - 11 (so far at 16:00 PM GMT - my spam filter caught 7 of these) All of this is genuine spam: I've read all of them. Today is unusual: the spam rate for the first six days is more typical. > 2. Could it still be the case (hence the isp block)? > My ISP uses greylisting. Before its implementation 80% of my mail was spam. Post implementation its about 8%. The stuff I'm trapping is what gets through the greylister. > 3. Could it be that WineHQ WAS a major source of spam, and was therefore blacklisted, and remains so? > (the latter: it used to be the case that blacklisting only lasted two or three months) > I'd say that a day like today would be more than enough to get WineHQ reported to at least one or more public blacklists and/or ISP's private blacklists. Caveats: - nobody is getting this spam unless they are subscribed to a Wine mail list, which will probably limit those who report it to a blacklist to casual users who think unsubscribing is more effort that getting it blacklisted. - Spam received from WineHQ mail lists is quite hard to trap: since the Codewaevers MTA sends direct to subscribers' ISPs or MTAs, the usual set of headers that trigger many Spamassassin rules are absent, so almost all that can be used to trap this spam is the body content. Writing general rules to catch this spam without getting false positives on legit. Wine user messages is very difficult. In general its a case of playing wack-a-mole by building lists of the URLs they're advertising. Simply doing URIBL lookups on the Wineusers output message stream to check the URLs in the subject line and body may catch a lot of it. IMO that would be worth a try, anyway. > 4. Could it be that WineHQ was never a major source of spam? > Not the case. See above. > We have already identified the 'repeated word' bug, in the subject line..... > .... in fact I've just had another look at the email. > Unlikely, I think. I've never seen a standard Spamassassin rule that triggers on arbitrary repeated words. If any did, they'd be looking for words that were specific to the stuff being advertised, not something as neutral as 'Forum' Martin