[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
What is your false positive rate with that pattern?
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
> Hi Markus -
> Markus Gufler wrote:
>>There is also another type of spam (stock spam now with attached png image)
>>this morning passing our filters.
>>
> I am catching these fairly easily -
> a combo filter -
> #combo-stockspammer-png.txt
> SKIPIFWEIGHT26
> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
> BODY5CONTAINSContent-Type: image/png;
> #
> The body regex is this:
> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
> -Nick
>>
>>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
> Nick, very good method. I have added that to my configuration as well now.
> - Original Message -
> From: "Nick Hayer" <[EMAIL PROTECTED]>
> To: "Message Sniffer Community"
> Sent: Tuesday, June 06, 2006 10:05 AM
> Subject: Re: [sniffer]Numeric spam topic change to png stock spam
>> Hi Markus -
>>
>> Markus Gufler wrote:
>>
>> >There is also another type of spam (stock spam now with attached png
> image)
>> >this morning passing our filters.
>> >
>> I am catching these fairly easily -
>> a combo filter -
>> #combo-stockspammer-png.txt
>> SKIPIFWEIGHT26
>> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
>> BODY5CONTAINSContent-Type: image/png;
>> #
>> The body regex is this:
>> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
>>
>> -Nick
>>
>> >
>> >
>>
>>
>> #
>> This message is sent to you because you are subscribed to
>> the mailing list .
>> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
>> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
>> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
>> Send administrative queries to <[EMAIL PROTECTED]>
>>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam. So
far I have not see any fp. [ I combo it (the regex) with other tests as
well - which makes it much more reliable.]
-Nick
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Message Sniffer Community"
Sent: Tuesday, June 06, 2006 10:44 AM
Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock
spam
> Hello Jonathan,
>
> I urge caution from experience... png images are not entirely rare,
> and the cid: tag format in the regex is also common.
>
> I'd love to be wrong - but I recall false positives with similar
> attempts in the past.
>
> Is there more to this than the two elements I just described -
> something I'm not seeing?
>
> _M
>
> Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
>
> > Nick, very good method. I have added that to my configuration as well
now.
>
> > - Original Message -
> > From: "Nick Hayer" <[EMAIL PROTECTED]>
> > To: "Message Sniffer Community"
> > Sent: Tuesday, June 06, 2006 10:05 AM
> > Subject: Re: [sniffer]Numeric spam topic change to png stock spam
>
>
> >> Hi Markus -
> >>
> >> Markus Gufler wrote:
> >>
> >> >There is also another type of spam (stock spam now with attached png
> > image)
> >> >this morning passing our filters.
> >> >
> >> I am catching these fairly easily -
> >> a combo filter -
> >> #combo-stockspammer-png.txt
> >> SKIPIFWEIGHT26
> >> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
> >> BODY5CONTAINSContent-Type: image/png;
> >> #
> >> The body regex is this:
> >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
> >>
> >> -Nick
> >>
> >> >
> >> >
> >>
> >>
> >> #
> >> This message is sent to you because you are subscribed to
> >> the mailing list .
> >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> >> To switch to the DIGEST mode, E-mail to
<[EMAIL PROTECTED]>
> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> >> Send administrative queries to <[EMAIL PROTECTED]>
> >>
>
>
>
>
> > #
> > This message is sent to you because you are subscribed to
> > the mailing list .
> > To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> > Send administrative queries to <[EMAIL PROTECTED]>
>
>
>
> --
> Pete McNeil
> Chief Scientist,
> Arm Research Labs, LLC.
>
>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
>
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
Thanks.
That's all good then :-)
_M
Tuesday, June 6, 2006, 10:46:55 AM, you wrote:
>
> Pete McNeil wrote:
>
> Hello Nick,
> What is your false positive rate with that pattern?
>
> Hmm lets go to the MDLP for yesterday :)
>
> SS HH HS SH SA SQ
> REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
> COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
>
> The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
> The png combo I just did it last night when I first saw the spam.
> So far I have not see any fp. [ I combo it (the regex) with other
> tests as well - which makes it much more reliable.]
>
> -Nick
>
>
>
>
> _M
> Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
>
>
> Hi Markus -
>
>
>
>
>
> Markus Gufler wrote:
>
>
>
>
>
>
> There is also another type of spam (stock spam now with attached png image)
> this morning passing our filters.
>
>
> I am catching these fairly easily -
> a combo filter -
> #combo-stockspammer-png.txt
> SKIPIFWEIGHT26
> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
> BODY5CONTAINSContent-Type: image/png;
> #
> The body regex is this:
> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
>
>
>
>
>
> -Nick
>
>
>
>
>
>
>
>
>
>
>
>
>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>To switch
> to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>To
> switch to the INDEX mode, E-mail to
> <[EMAIL PROTECTED]>Send administrative queries to
> <[EMAIL PROTECTED]>
>
>
>
>
>
>
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
