Hello Duncan,
Tuesday, July 26, 2005, 7:26:49 PM, you wrote:
>> People who update from SARE, just hear: "Hey xxxx.cf got updated." And they
>> go and get it. Or they don't even know it gets updated and the RDJ script
>> does it. So public is pretty good at just accepting the rule updates.
DF> Yes, but it's difficult for people to join SARE, or learn what goes
DF> into rule development. If all the development takes place in private,
DF> then there's no way for newcomers to join and this is a really bad
DF> thing.
Except that SARE's membership isn't quite that private. We participate
actively on this list, and on the SARE forum/list, and we do have
people join SARE based on their activity. SARE has about as many
active members as there are active committers within SA.
>> Having an open public discussion on new rule ideas, pretty much defeats the
>> purpose.
DF> I'd like to see the data that supports this claim. I'm really
DF> skeptical.
Example:
body SARE_BODY_URI_STOCK /[EMAIL PROTECTED]/i
describe SARE_BODY_URI_STOCK Signature of stock market spammer
score SARE_BODY_URI_STOCK 1.666
#hist SARE_BODY_URI_STOCK Bob Menschel, Apr 17 2005, from a variety of
suggestions
#counts SARE_BODY_URI_STOCK 184s/0h of 258734 corpus (114194s/144540h
RM) 05/24/05
#max SARE_BODY_URI_STOCK 400s/0h of 281295 corpus (109907s/171388h
RM) 05/06/05
This was implemented in early May following ideas suggested here and
in Spam-L. At that time spam carrying the spamsign was 0.36% of all
spam. Less than a month later it was 0.07% of all spam. Spam didn't
increase *that* much during the month -- the more aware spammers saw
the discussions and stopped flagging their spam with this sign.
body SARE_SPEC_BANNEDCD /b\s?a\s?n\s?n\s?e\s?d\s?c\s?d/i
describe SARE_SPEC_BANNEDCD mentions the supposedly banned CD
score SARE_SPEC_BANNEDCD 4.000
#stype SARE_SPEC_BANNEDCD spamgg
#counts SARE_SPEC_BANNEDCD 0s/0h of 196729 corpus (96191s/100538h RM)
02/21/05
#max SARE_SPEC_BANNEDCD 2412s/0h of 100793 corpus (82099s/18694h)
02/21/04
#counts SARE_SPEC_BANNEDCD 29s/0h of 54131 corpus (16957s/37174h
JH-3.01) 03/02/05
#max SARE_SPEC_BANNEDCD 82s/0h of 38753 corpus (15271s/23482h
JH-SA3.0rc1) 09/03/04
#counts SARE_SPEC_BANNEDCD 0s/0h of 27712 corpus (24263s/3449h MY)
02/27/05
#max SARE_SPEC_BANNEDCD 65s/0h of 17014 corpus (14582s/2432h MY)
08/03/04
This rule was a big hitter in early 2004. A year later it completely
disappeared from all SARE corpora except Jesse's.
body SARE_SPEC_ROLEX_ORD /\border\b.{1,30}\br(?:[EMAIL
PROTECTED]|aw)lex/i
describe SARE_SPEC_ROLEX_ORD Order rolex
score SARE_SPEC_ROLEX_ORD 2.222
#hist SARE_SPEC_ROLEX_ORD ninjaz -at- webexpress.com
#counts SARE_SPEC_ROLEX_ORD 38s/0h of 281295 corpus (109907s/171388h RM)
05/06/05
#max SARE_SPEC_ROLEX_ORD 1166s/0h of 174352 corpus (98963s/75389h RM)
02/18/05
Picked this one up here, if I remember correctly. Applied quickly, it
hit 0.67% of all spam. Three months later it was 0.01%.
No, none of the spammers sent email to SARE telling us they were
pulling their spamsign because they saw these rules discussed online.
It might be that they pulled these spamsign because the spam simply
wasn't getting through. That theory can be supported because
apparently just about ALL rules show decreasing effectiveness over
time -- spamsign changes. But it does seem to us (those SARE
participants who have been vocal) that the rules which are discussed
online decrease in effectiveness faster than those which aren't.
Bob Menschel
