Re: [sniffer] Surprising missed spam
On Monday, September 13, 2004, 7:22:03 PM, Corby wrote: AC> Hello, AC> I was surprised recently by some spam that got through AC> without getting caught by the sniffer. We've been getting some AC> plain text messages that have obvious spam words in the subject AC> line. For example, a plain text message with "horny teenagers" AC> came through. The content was also very spammy, but all plain AC> text. I tried sending myself a few messages with standard spam AC> phrases and none of them tripped any sniffer rules. AC> Am I missing something? Can you zip up some examples and send them to me? I'm researching this issue right now and I need more data. Thanks, _M PS: A number of word / phrase based rules have been dropped from the core rule base due to false positives - not many, but this might explain some of what you're seeing - I will know more when I have some examples. If that's the case I can always put the rules back in for your local rule base. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Surprising missed spam
Corby, Personally, I'm a fan of leaving the generic stuff out due to the potential of false positives. Those of us that are using Sniffer in addition to other spam blocking mechanisms can afford to lose some Sniffer hits on such phrases because they will be picked up by other means almost all of the time. Including such phrases however would increase our false positive rate without a measurable benefit in spam capture rates. I have even asked Pete to remove some phrase hits from my own rulebase for exactly this reason. Matt Agid, Corby wrote: Surprising missed spam Hello, I was surprised recently by some spam that got through without getting caught by the sniffer. We've been getting some plain text messages that have obvious spam words in the subject line. For example, a plain text message with "horny teenagers" came through. The content was also very spammy, but all plain text. I tried sending myself a few messages with standard spam phrases and none of them tripped any sniffer rules. Am I missing something? Corby -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [sniffer] Surprising missed spam
To which addresss should I send these? Also, I mis-stated the spam. They were not plain text, but html, but clearly have many "classic" spam attributes. I will send them along, but need to know where. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > Sent: Monday, September 13, 2004 4:29 PM > To: Agid, Corby > Subject: Re: [sniffer] Surprising missed spam > > On Monday, September 13, 2004, 7:22:03 PM, Corby wrote: > > AC> Hello, > > AC> I was surprised recently by some spam that got through without > AC> getting caught by the sniffer. We've been getting some > plain text > AC> messages that have obvious spam words in the subject line. For > AC> example, a plain text message with "horny teenagers" > AC> came through. The content was also very spammy, but all > plain text. > AC> I tried sending myself a few messages with standard spam > phrases and > AC> none of them tripped any sniffer rules. > > AC> Am I missing something? > > Can you zip up some examples and send them to me? > I'm researching this issue right now and I need more data. > > Thanks, > _M > > PS: A number of word / phrase based rules have been dropped > from the core rule base due to false positives - not many, > but this might explain some of what you're seeing - I will > know more when I have some examples. If that's the case I can > always put the rules back in for your local rule base. > > > > > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Surprising missed spam
I suppose everyone's userbases have differenent requirements. An ISP or private enterprise might worry about false postives on "horny teenagers" and "penis enlargement", but for our local government agency, it causes problems. Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, September 13, 2004 5:25 PMTo: [EMAIL PROTECTED]Subject: Re: [sniffer] Surprising missed spam Corby,Personally, I'm a fan of leaving the generic stuff out due to the potential of false positives. Those of us that are using Sniffer in addition to other spam blocking mechanisms can afford to lose some Sniffer hits on such phrases because they will be picked up by other means almost all of the time. Including such phrases however would increase our false positive rate without a measurable benefit in spam capture rates. I have even asked Pete to remove some phrase hits from my own rulebase for exactly this reason.MattAgid, Corby wrote: Hello, I was surprised recently by some spam that got through without getting caught by the sniffer. We've been getting some plain text messages that have obvious spam words in the subject line. For example, a plain text message with "horny teenagers" came through. The content was also very spammy, but all plain text. I tried sending myself a few messages with standard spam phrases and none of them tripped any sniffer rules. Am I missing something? Corby -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [sniffer] Surprising missed spam
I just forwarded half a dozen myself, they have been coming in for the last week or so, much more so than before. Jim Matuska Jr. Computer Tech II CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Agid, Corby" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 14, 2004 8:41 AM Subject: RE: [sniffer] Surprising missed spam To which addresss should I send these? Also, I mis-stated the spam. They were not plain text, but html, but clearly have many "classic" spam attributes. I will send them along, but need to know where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, September 13, 2004 4:29 PM To: Agid, Corby Subject: Re: [sniffer] Surprising missed spam On Monday, September 13, 2004, 7:22:03 PM, Corby wrote: AC> Hello, AC> I was surprised recently by some spam that got through without AC> getting caught by the sniffer. We've been getting some plain text AC> messages that have obvious spam words in the subject line. For AC> example, a plain text message with "horny teenagers" AC> came through. The content was also very spammy, but all plain text. AC> I tried sending myself a few messages with standard spam phrases and AC> none of them tripped any sniffer rules. AC> Am I missing something? Can you zip up some examples and send them to me? I'm researching this issue right now and I need more data. Thanks, _M PS: A number of word / phrase based rules have been dropped from the core rule base due to false positives - not many, but this might explain some of what you're seeing - I will know more when I have some examples. If that's the case I can always put the rules back in for your local rule base. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Surprising missed spam
Actually, we scan for many businesses as well as home users, and have clients with mail boxes on every continent except Antarctica. To me it's really a matter of what classifies spam, and while these phrases are spammy, they are not accurate enough to use in my rulebase. Pete knows what he is doing however, and you will note that most of his rules are based on 'payload' hits, which are generally links. Without a payload, the message is merely a statement, and while that has happened (Nazi spamdemic), it is not the norm. These guys do change their payloads around regularly, but the ones that use these sorts of phrases in spam are highly likely to also get tagged by other obfuscation techniques in Sniffer. Of course there are also many blacklists that are good at tagging both zombie and static spam sources. My point was really that I prefer to tag spam based on a positive hit instead of a suggestive one, and for the most part, Sniffer does this. It is especially effective in combination with other spam blocking techniques. If for instance you have 3 hits on perfectly unassociated patterns, and each one is 99% accurate, or rather 1% inaccurate, the net result is that the combination of hits would produce a false positive rate 0.0001%. A good example of this would be a message that is tagged by Sniffer for a link in the body, tagged by SpamCop for leaking spam by the IP, and forges the Mail From domain. Unfortunately I do see false positives frequently enough when Sniffer hits in combination with some other less accurate test giving it enough points to be held on my system, many of which might fall into a gray category or results from a more generic/suggestive hit in combination with some technical shortcoming. Spam bothers me a whole bunch, that's why I'm in the business, but false positives bother me even more. I do wish that over time Pete could further separate his rules into more positive and more suggestive ones so that things like known URL's would be examples of more positive ones and things like "horny teenagers" would be an example of a suggestive one. Given that, I could weight accordingly. Matt Agid, Corby wrote: I suppose everyone's userbases have differenent requirements. An ISP or private enterprise might worry about false postives on "horny teenagers" and "penis enlargement", but for our local government agency, it causes problems. Corby From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, September 13, 2004 5:25 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Surprising missed spam Corby, Personally, I'm a fan of leaving the generic stuff out due to the potential of false positives. Those of us that are using Sniffer in addition to other spam blocking mechanisms can afford to lose some Sniffer hits on such phrases because they will be picked up by other means almost all of the time. Including such phrases however would increase our false positive rate without a measurable benefit in spam capture rates. I have even asked Pete to remove some phrase hits from my own rulebase for exactly this reason. Matt Agid, Corby wrote: Hello, I was surprised recently by some spam that got through without getting caught by the sniffer. We've been getting some plain text messages that have obvious spam words in the subject line. For example, a plain text message with "horny teenagers" came through. The content was also very spammy, but all plain text. I tried sending myself a few messages with standard spam phrases and none of them tripped any sniffer rules. Am I missing something? Corby -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
