Paul Bijnens wrote:
Be careful about using clamav with the MSRBL image-spams database!! It seems to me like detecting the image spams with clamav signatures are not really an improvement. In fact, it is probably dangerous! The programs generating these spams make unique images with variations with speckles, lines, color, size, etc making the image signature unique for each mail sent. I still have to catch the first real spam using the MSRBL-Image clamav signtures. I did caught some false positives on the other hand...
How did you determine they were false positives? Their website does not provide a context so you can't know if what you are seeing is a web beacon image or a spacer.
I determine false positives very simply - If neither the sender nor the intended recipient do not communicate with me that a message was blocked, it is spam. I've never been contacted because of a message blocked using Sanesecurity or MSRBL lists.
I removed the msrbl-image database from my system, reducing the number signatures clamav has to watch to 1/3th. And no more false positives either as benefit.
We're having very different experiences.
Now trying to get fuzzy-OCR working instead...
This isn't going to work well. I've beat that dog to death and it is the least effective but most expensive method I've tried in terms of time wasted, band width used, and cpu cycles invested. I work in the commercial image industry though, and so we tend to see more imagery than most sites.
I think you'd be better off analyzing the structure of images. Image spams are very different structurally than photographs and computer art. The layering, color transitions, and repeating patterns such as speckle are like fingerprints - no two alike. But you always know what a fingerprint looks like. It isn't so important to know who's fingerprint it is so long as you know it isn't yours.
dp dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
