On Thursday, August 12, 2004, 12:53:26 PM, Rob McEwen wrote:
As for my own server, rather than turning parsing of headers "off", I'm currently doing a test where I SURBL-check headers ONLY if the SURBL-checking of the body doesn't get marked as spam. Next, if the body of the message is "clean" and the header gets checked, I'm saving ALL of these into a special folder where I can investigate for myself the benefits/drawback using real-world data. I understand that this is not the prescribed way to use SURBL... but, even if I don't like the results, this may be beneficial as a "flagging" or "scoring" system where I could then allow these particular messages through, but have then handy to see what is not getting blocked by other filtering.
Seems like a reasonable thing to try, at least for curiosity's sake, but I think for the long-term or for a server with many users, checking only message bodies is definitely the preferred way.
Headers are too easily and too often forged. While there's a disincentive to forge URLs or add legitimate ones into a message body since those would distract the human reader, in contrast there's an incentive to put legitimate domains in headers to try to fool automated or human header checking. So the potential for FPs is much greater and the incentives are wrong for checking on headers.
Cheers,
Jeff C.