> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 27, 2005 2:25 PM > To: Chris Santerre > Cc: 'Duncan Findlay'; [email protected] > Subject: rule secrecy, spammer evasion (was Re: PROPOSAL: create > "SpamAssassin Rules Project") > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Chris Santerre writes: > > > I'd like to see the data that supports this claim. I'm really > > > skeptical. > > > > Whens the last time you got a hit on Mr_Wiggly ruleset? > > Bear in mind, the SARE ruleset is not the only filter in the world > that is attempting to catch that spam. AOL, Yahoo!, Hotmail, GMail, > Brightmail, etc. etc. are also attempting to catch it, and the > spammer is also mutating his spam to evade *them*.
Don't get me started on where *those* people got some of *their* rules from! Some of *those* people never even bothered to rename the rules! > > - From all the research I've read and people I've talked to > about this, the > spammers are a *LOT* more concerned with evading *those* > filters than they > are about piddly little SpamAssassin. Especially the AOL case -- some > spammers are dedicated 7 days a week to getting past that single ISP's > filters. Which is why SA retains such a great hit rate weeks after a release???????? > > > We never saved data on this. But if you ask ANY SARE > member, they will > > backup this claim. Or better yet, go ahead and start a new > rule discussion > > in the SATALK list. Pick a spam flag and go for it. See how > long it takes > > for that flag to go bye bye ;) > > OK, let's pick one ;) From the top hitters on my corpus in the > last mass-check: > > 12.063 17.4637 0.0000 1.000 0.98 4.14 > MIME_BOUND_DD_DIGITS > > grep MIME_BOUND_DD_DIGITS spam.log | perl -pe \ > 's/^.*\btime=//; s/,.*$//;' > times > Ahhh...now I understand why you sent this. I got confused. I didn't read this email first. I would consider this a bad rule to go by. Why? This IMHO is more a ratware flag. Spammers, more likely sock puppets, don't understand or bother with this as much as the easier 'body content' stuff. So for instance if you write a rule looking for the phrase "buy m0rtgag3s h3r3", Mr Sockpuppet can easily understand that aspect and change his body payload to avoid. But I doubt many will understand the ratware setup of a mime boundry. --Chris
