Scanning for Spam

Anthony Peacock a.peacock at chime.ucl.ac.uk
Fri Feb 9 09:46:53 CET 2007 

Hi,

am.lists wrote:
> Scott- I agree with you, but if I'm scoring one of those at (let's say
> for example) a 2.4 when I'm requiring 4.0, I'm passing this as good
> mail. I'm also assuming that this same message is getting through most
> others' too (at least those running with the same un-touched rules as
> me). So how would this get learned as spam?
> 
> Also, these messages have a way of loading the junk portion up front,
> followed by a couple of line feeds, then some "harmless" filler below.
> Probably to make the scoring acceptable to have investor in there if
> it's only mentioned in one out of 500 words, versus one out of 40
> words. Any ideas on how to take this into account? e.g. Formulate a
> rule that if any of these high-profile words are caught in the first
> 50 words of the message, be twice as prejudicial towards them?

Put an example of these emails somewhere where the list users can find 
it (web page) with full headers, and I am sure people will tell you what 
scores the get and which rules hit.

Out of interest I currently catch 99.5% of my spam.

> 
> Angelo
> 
> On 2/8/07, Scott Silva <ssilva at sgvwater.com> wrote:
>> am.lists spake the following on 2/8/2007 3:19 PM:
>> > We've all seen the "investor alert" messages.
>> >
>> > Thanks to Fuzzy OCR, I'm not getting them any more. The OCR scanning
>> > is picking them all up is very effective.
>> >
>> > But now, I'm seeing the plain text ones coming in. I know, I'm getting
>> > pretty greedy to expect a 100% effectiveness rate of my spam
>> > filtering, but it seems it should be possible to stop this stuff.
>> >
>> > My question for the list....
>> >
>> > What is the consensus method for rolling these to a halt?
>> >
>> > -- Are you tweaking existing rules that center on dial-up lists, bogus
>> > helo, invalid reverse dns?
>> > -- Are you using MCP for words like "investor" and other keywords?
>> >
>> > I'm currently using pyzor, razor, dcc, rules du jour, and fuzzy ocr
>> > (with all [or most] of its plugin/helper apps).
>> >
>> > Thanks in advance.
>> >
>> >
>> > Angelo
>> With good rules and the digests you have enabled, you should be 
>> catching most
>> of them. You might get a few at first until the they get reported to the
>> digests. The only other thing you could do is use a good blacklist or 
>> two at
>> the MTA.
>> I think you would be closer to unreasonable to expect 100% spam 
>> blocking, but
>> there is one way. Reach behind the server and unplug the network 
>> cable. That
>> is probably the only way to reach 100%, although you should easily be 
>> able to
>> get into the low to mid 90's.
>>
>> -- 
>>
>> MailScanner is like deodorant...
>> You hope everybody uses it, and
>> you notice quickly if they don't!!!!
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

More information about the MailScanner mailing list