At 6:01 PM +0000 2/16/04, Matt Schneider wrote:
At 12:28 PM 2/16/2004 -0500, you wrote:
so, i guess a sliding window would catch filter-busting headers and trailers.
No, they add a bunch of garbage right in the body of the spams too,
fake HTML tags or text that's the same color as the background.
There's no real way to avoid this stuff.
Those are both really quite easy to catch, and can even be caught by
automatic learning filters. For example, the word 'oblivity' inside
angle brackets (i.e. a bogus HTML tag) occurs nowhere at all in any
of my legitimate mail of the past year. It occurs 6 times in my spam
of 2004. A filter that checks for strict HTML compliance in HTML mail
would have caught all of those, and I see in my current set of
Bayesian classifiers that this 'word' (complete with <>) is part of
why the later spams containing it were marked as probable spam.
Similarly, text that is the same color as the background is a
programmatically detectable trick, and there are already filters in
use that detect it as spamsign.
I also note in peeking at my current Bayesian classifiers that there
are many perfectly valid but uncommonly used words there which seem
to be strong spamsign for no obvious reason. At least no obvious
reason until I look at where in my recent spam they have appeared:
the filterbusting attempts that use random dictionary words. A quick
browse of the 200k entries in my filter collection and the accuracy
it shows leads me to believe that the spammers who try to break
filtering are still losing the arms race and may not ever hit on a
winning tactic.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg