Bayes Poisoning? Spam with negative BAYES Scores - ahhhh

Nathan Johanson nathan at TCPNETWORKS.NET
Wed Dec 24 16:07:38 GMT 2003


Yep, I continue to see lots of SPAM getting through due to negative hits
on Bayes.

SpamAssassin (score=0.801,
required 4, BAYES_00 -4.90, FORGED_RCVD_NET_HELO 4.10,
HTML_MESSAGE 0.10, RCVD_NUMERIC_HELO 1.50)

This is my game plan. I plan to implement these modifications in stages:

(1) Upgrade to SpamAssassin 2.61. Already done and made no difference.

(2) Implement the bigevil.cf and other rulesets available at the
"Spamassassin Custom Rule Emporium"
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm

(3) Experiment with some different blacklists. Many of these messages
are still getting tagged by NJABL, but not all of them.

(4) I have been collecting a sampling of the offending spam and noticed
that the majority of these messages are originating from one IP address
(with a domain I recognize and one I've blacklisted in the past). I plan
to add this IP to our Sendmail access list and reject mail from the
offending source. However, this will reduce the amount but not stop it
completetly.

(5) Create some spam trap accounts (sales@ or webmaster@) and start
training the bayes databases manually. I have been relying on the
autolearning mechanism up to this point and it's clear that this isn't
enough. I figure that if I feed some of these offending messages in to
the system as SPAM, it should help resolve the problem. However, I am a
little worried that this may tip the scales the other direction and
cause more false positives. **Note: Anyone with some good pointers on
this strategy, please send me your advise**

(6) Join the SpamAssassin mailing list and report the problems there. I
already searched the archives and did note a few references to this
issue, but no concrete resolutions.

(7) Disable Bayes altogether and see what happens.

(8) Shrug my shoulders and write this off as just another example of the
"cold war" between spammers and those who want to stop them. The
spammers have the upper hand and call me skeptical, but there will never
be 100% reliability. 

Nathan


-----Original Message-----
From: Pete [mailto:pete at eatathome.com.au] 
Sent: Saturday, December 20, 2003 4:16 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Bayes Poisoning? Spam with negative BAYES Scores - ahhhh


-------- Original Message --------
From:   - Sat Dec 20 22:36:03 2003
X-Mozilla-Status:       0001
X-Mozilla-Status2:      00800000
Message-ID:     <3FE4341E.5020900 at eatathome.com.au>
Date:   Sat, 20 Dec 2003 22:35:58 +1100
From:   Pete <pete at eatathome.com.au>
Reply-To:       pete at eatathome.com.au
User-Agent:     Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031013 Thunderbird/0.3
X-Accept-Language:      en-us, en
MIME-Version:   1.0
To:     peter.peters at utwente.nl
Subject:        Re: Bayes Poisoning? Spam with negative BAYES Scores -
ahhhh
References:
<CC6008BDBF458A4DB8456380C1BAB3800BA404 at server1.in.tcpnetworks.com>
<3FE2110D.4000804 at pacific.net> <3FE26817.5070507 at eatathome.com.au>
<q6r5uv8rf80aog78fi8req2ddb26oq7s2j at 4ax.com>
In-Reply-To:    <q6r5uv8rf80aog78fi8req2ddb26oq7s2j at 4ax.com>
Content-Type:   text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding:      7bit



Peter Peters wrote:

>On Fri, 19 Dec 2003 13:53:11 +1100, you wrote:
>
>
>
>>I am starting to find that as the bayes DB is getting larger that more
>>spam is starting to get through. I have only installed 6 weeks ago and
>>in the last 2 weeks i have a steady increase in spam not being trapped
-
>>is there bayes maintenance i need to do? maybe its something
completely
>>unrelated, but it seemed logical to me.
>>
>>
>
>I save undetected spam and feed that into sa-learn. I am working on
>filters that do the same with spam that is detected but has a negative
>bayes score.
>
>--
>Peter Peters, senior netwerkbeheerder
>Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
>Universiteit Twente,  Postbus 217,  7500 AE  Enschede
>telefoon: 053 - 489 2301, fax: 053 - 489 2383,
http://www.utwente.nl/civ
>
>
>

Hi and thanks - i currently dont have the option for creating
spam/notspam mail accounts - and the count of spam being let through is
now starting become a huge issue - heaps of spamm is not being trapped,
or the reason Nathan pointed out above - Nathan, have you found some
type of fix? I am no guru at this and dont want to have a long list of
SA custom rules i dont know a lot about. Are these the only 2 options i
have? or delete or stop using bayes?




More information about the MailScanner mailing list