On Sun, Dec 12, 2004 at 01:06:04PM -0800, Professional Software Engineering
wrote:
[long discussion of technique deleted]
Running this in a sandbox against my spam corpus and regular mailbox
resulted in a 0 false-positive rate. Running it against my virus corpus
resulted in a hit rate in excess of 45%.
Yup. That is why it's a prime test in Virus Snaggers(tm). The name
I give it is "sending_client=host-spoof":
10:46pm [~/Mail/virus] 431[1]> grep ^X-Vsnag: msg.* | grep spoof
msg.-_T:X-Vsnag: vsnag221:sending_client=host-spoof+ext=scr
msg.0rzN:X-Vsnag: vsnag221:sending_client=host-spoof+ext=zip
msg.7YDL:X-Vsnag: vsnag221:sending_client=host-spoof+ext=scr
msg.Ap_Q:X-Vsnag: vsnag221:sending_client=host-spoof+ext=zip
msg.BkaI:X-Vsnag: vsnag222:sending_client=host-spoof+ext=zip
msg.CN9T:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=zip
msg.CwwJ:X-Vsnag: vsnag221:sending_client=host-spoof+ext=exe
msg.ETS:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=zip
msg.FGVD:X-Vsnag: vsnag221:sending_client=host-spoof+ext=exe
msg.FNNC:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=zip
msg.Gi_X:X-Vsnag: vsnag221:sending_client=host-spoof+ext=pif
msg.LfHG:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=pif
msg.gGQY:X-Vsnag: vsnag221:sending_client=host-spoof+ext=pif
msg.hZqW:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=zip
msg.hczI:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=zip
msg.iAFO:X-Vsnag: vsnag221:sending_client=host-spoof+ext=zip
msg.iz1X:X-Vsnag: vsnag221:sending_client=host-spoof+ext=zip
msg.jBUI:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=pif
msg.jxRE:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=pif
msg.kBUI:X-Vsnag: vsnag222a:sending_client=host-spoof+ext=scr
msg.mAFO:X-Vsnag: vsnag221:sending_client=host-spoof+ext=scr
Vsnag uses this to waylay the occasional spam that comes in with
this trick as well.
I'm _not_ making the claim that this recipe is going to get rid of gobs and
gobs of your spam. What it does for me is isolates a number of the handful
of messages that manage to slip past the rest of my spam filters (and since
I'm using it as part of a "SPAMMISHNESS" score, it works in conjunction
with other rulesets, not just on its own). Somehow, last month I ended up
with 44 spam messages which weren't caught by my filters because I've not
been managing them for serveral months. So far this month, 15 already. A
third of those get nabbed by this recipe (and another third are legitimate
forwards from an account on another host which doesn't pre-filter, so they
don't match the criteria in any event).
Comments?
'S fine. (Or use vsnag and set VS_SPAMMY in the myvars file to put
the ones of these that don't have nasty attachments in your spam folder.) :-)
dman [ Virus Snaggers(tm) is at http://vsnag.spamless.us ]
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail