Scanning for Spam

am.lists am.lists at gmail.com
Fri Feb 9 03:11:29 CET 2007 

Scott- I agree with you, but if I'm scoring one of those at (let's say
for example) a 2.4 when I'm requiring 4.0, I'm passing this as good
mail. I'm also assuming that this same message is getting through most
others' too (at least those running with the same un-touched rules as
me). So how would this get learned as spam?

Also, these messages have a way of loading the junk portion up front,
followed by a couple of line feeds, then some "harmless" filler below.
Probably to make the scoring acceptable to have investor in there if
it's only mentioned in one out of 500 words, versus one out of 40
words. Any ideas on how to take this into account? e.g. Formulate a
rule that if any of these high-profile words are caught in the first
50 words of the message, be twice as prejudicial towards them?

Angelo

On 2/8/07, Scott Silva <ssilva at sgvwater.com> wrote:
> am.lists spake the following on 2/8/2007 3:19 PM:
> > We've all seen the "investor alert" messages.
> >
> > Thanks to Fuzzy OCR, I'm not getting them any more. The OCR scanning
> > is picking them all up is very effective.
> >
> > But now, I'm seeing the plain text ones coming in. I know, I'm getting
> > pretty greedy to expect a 100% effectiveness rate of my spam
> > filtering, but it seems it should be possible to stop this stuff.
> >
> > My question for the list....
> >
> > What is the consensus method for rolling these to a halt?
> >
> > -- Are you tweaking existing rules that center on dial-up lists, bogus
> > helo, invalid reverse dns?
> > -- Are you using MCP for words like "investor" and other keywords?
> >
> > I'm currently using pyzor, razor, dcc, rules du jour, and fuzzy ocr
> > (with all [or most] of its plugin/helper apps).
> >
> > Thanks in advance.
> >
> >
> > Angelo
> With good rules and the digests you have enabled, you should be catching most
> of them. You might get a few at first until the they get reported to the
> digests. The only other thing you could do is use a good blacklist or two at
> the MTA.
> I think you would be closer to unreasonable to expect 100% spam blocking, but
> there is one way. Reach behind the server and unplug the network cable. That
> is probably the only way to reach 100%, although you should easily be able to
> get into the low to mid 90's.
>
> --
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

More information about the MailScanner mailing list