On 1/14/2013 2:59 PM, Ben Johnson wrote: > I understand that snowshoe spam may not hit any net tests. I guess my > confusion is around what, exactly, classifies spam as "snowshoe".
Snowshoe spam - spreading a spam run across a large number of IPs so no single IP is sending a large volume. Typically also combined with "natural language" text, RFC compliant mail servers, verified SPF and DKIM, business-class ISP with FCrDNS, and every other criteria to look like a legit mail source. This type of spam is difficult to catch. http://www.spamhaus.org/faq/section/Glossary#233 and countless other links if you ask google. > Are most/all of the BL services hash-based? In other words, if a known > spam message was added yesterday, will it be considered "snowshoe" spam > if the spammer sends the same message today and changes only one > character within the body? No, most all DNS blacklists are based on IP reputation. Check each list's website for their listing policy to see how an IP gets on their list; generally honypot email addresses or trusted user reports. Most lists require some number of reports before listing an IP to prevent false positives; snowshoe spammers take advantage of this. > If so, then I guess the only remedy here is to focus on why Bayes seems > to perform so miserably. Sounds as if your bayes has been improperly trained in the past. You might do better to just delete the bayes db and start over with hand-picked spam and ham. -- Noel Jones
