http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5701
------- Additional Comments From [EMAIL PROTECTED] 2007-10-25 10:34 ------- hi Umut! Thanks, I'm quite excited about the possibilities with this. ;) A couple of questions/comments: >1) Introducing new SA-rules that are required by PILFER >2) Evaluating a first version of SA trained using these new rules To be honest, I do not expect fantastic results from these alone, without the PILFER decision-rules plugin. In my experience, SpamAssassin isn't great at combining rules that have high false positive rates (as most phish rules seem to be) into a more accurate combination rule. But I guess it's worth a try, anyway, especially if it's just used to gather data, and we have the more accurate decision-rules plugin further down the line... >3) Evaluating a more advanced version of PILFER in the form of a plug-in that uses decision-rules derived by PILFER’s learning algorithm >4) Evaluating field performance & collecting feedback from the community Worth noting that, hopefully, if all goes well and it fits technically, we'd like to fold that plugin into the SpamAssassin core distribution... by the way, regarding item 0) : >0) Adding anti-phishing detection mechanism to SA, without effecting the performance of SA’s spam detection If by this you mean adding a new "target" for mail types, alongside nonspam (score < required_score threshold, "X-Spam-Flag=NO") and spam (score >= required_score threshold, "X-Spam-Flag=YES"), we may be able to do something similar to how we treat virus-bounce messages in the VBounce ruleset: http://wiki.apache.org/spamassassin/VBounceRuleset . It's pretty simple -- all of the rules in the ruleset trigger a "BOUNCE_MESSAGE" rule as well, so if that rule appears in the list of tests hit, the message can be considered a bounce. In the case of phishes, I'd suggest that we mark the mail as spam, and have a new "PHISHING" rule, which always fires if the mail is considered phish. Therefore we have 3 states: nonspam (score < required_score threshold, "X-Spam-Flag=NO") spam (score >= required_score threshold, "X-Spam-Flag=YES", "X-Spam-Status !~ /PHISHING/) spam,phish (score >= required_score threshold, "X-Spam-Flag=YES", "X-Spam-Status =~ /PHISHING/) Conceptually, "phish" is just considered a subset of "spam", and conveniently enough we don't have to change the SpamAssassin code APIs ;) This is also similar to how ClamAV treat phishing, too. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
