Paul Bijnens wrote:
On 2007-03-07 02:16, Dennis Peterson wrote:
Paul Bijnens wrote:
On 2007-03-05 20:07, Dennis Peterson wrote:
Paul Bijnens wrote:
Be careful about using clamav with the MSRBL image-spams database!!
It seems to me like detecting the image spams with clamav signatures
are not really an improvement. In fact, it is probably dangerous!
The programs generating these spams make unique images with
variations with speckles, lines, color, size, etc making the image
signature unique for each mail sent. I still have to catch the
first real spam using the MSRBL-Image clamav signtures.
I did caught some false positives on the other hand...
How did you determine they were false positives? Their website does not
provide a context so you can't know if what you are seeing is a web
beacon image or a spacer.
Yes it is a spacer, and not a beacon image.
I downloaded and investigated the image.
E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image.
And you still don't know the context. If MSRBL pulled down 3000
messages, all spam, and they all contained this image which looks for
all the world like a web beacon to me, then that is a spam indicator.
Just like word certain couplings are indicators of spam, so too are
images. The image itself needn't be the spam as in image spam. It needs
only to be a valid and repeatable indicator. I consider web beacons and
the messages that contain them to be spam.
OK, so I just sent the decision to the msrbl mailing list:
And got this answer:
Is this another false positive, or is this a beacon image used by
spammers?
MSRBL-Images/0-IYC
Hi,
Thanks for the report, but this was removed from the signature file about 5
days ago.
So this classifies those "small" images 1x1, 1x2 etc, as false positives
by the maintainers themselves.
Leaving these out (yes, all those "too small" images were removed
from the signature files now), do you still have some hit on some image,
and if yes, which one?
In all the months I had msrbl-Images added to the list of clamav
signatures, I did not encounter one single real spam, only 6 false
positives.
But I'm not running a high traffic mail server.
I'm interested in results catching real spam on some more substantial
servers.
All the hits you got in the list you gave classify as false positives
in my opinion.
I went over the logs of those 36 and found they came from several
different sources including, humorously one of our own web servers that
had been used to send spam. Most of them were sent in via our London
gateway which then forwards them here. The source addresses were China,
Nederlands, and Poland. The messages were also recorded by the milter
log which also does content filtering, and the log there shows the
messages were for male enhancement drugs. Some of the others in the list
were posts from Constant Contact and geocities. The subject lines are
logged by Sendmail and they are consistant with spambot messages in that
they were nonsense two or three word phrases.
dp
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
