[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Meaningless words in spams

To: asrg at ietf.org
Subject: Re: [Asrg] Meaningless words in spams
From: Matt Schneider <matt at spamhaus.org>
Date: Mon, 16 Feb 2004 19:29:01 +0000 (GMT)
In-reply-to: <p06002084bc56c131ab22@[192.168.254.12]>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20040216180100.262BA41F9@z.spamhaus.org><Your message of "Mon, 16 Feb 2004 12:06:29 EST." <00d001c3f4af$39872c40$6401a8c0@sohonotebook><20040216180100.262BA41F9@z.spamhaus.org>
Sender: asrg-admin at ietf.org

At 02:19 PM 2/16/2004 -0500, you wrote:

At 6:01 PM +0000 2/16/04, Matt Schneider wrote:
At 12:28 PM 2/16/2004 -0500, you wrote:
so, i guess a sliding window would catch filter-busting headers and trailers.

No, they add a bunch of garbage right in the body of the spams too, fake HTML tags or text that's the same color as the background.

There's no real way to avoid this stuff.
Those are both really quite easy to catch, and can even be caught by automatic learning filters. For example, the word 'oblivity' inside angle brackets (i.e. a bogus HTML tag) occurs nowhere at all in any of my legitimate mail of the past year. It occurs 6 times in my spam of 2004. A filter that checks for strict HTML compliance in HTML mail would have caught all of those, and I see in my current set of Bayesian classifiers that this 'word' (complete with <>) is part of why the later spams containing it were marked as probable spam. Similarly, text that is the same color as the background is a programmatically detectable trick, and there are already filters in use that detect it as spamsign.

Yes, you can look for bad HTML tags and colored text.. but there will always be a way to sneak garbage in no matter what you do.

I also note in peeking at my current Bayesian classifiers that there are many perfectly valid but uncommonly used words there which seem to be strong spamsign for no obvious reason. At least no obvious reason until I look at where in my recent spam they have appeared: the filterbusting attempts that use random dictionary words. A quick browse of the 200k entries in my filter collection and the accuracy it shows leads me to believe that the spammers who try to break filtering are still losing the arms race and may not ever hit on a winning tactic.

Yes, but you can't start filtering mail based on uncommon words either. One time I was corresponding with a reporter about a spam article and got one of my messages bounced back... I guess I used the word "spam" too many times (like all spammers do, of course). The point is, content filtering sucks.

- Matt

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Meaningless words in spams
  - From: Matt Schneider
- RE: [Asrg] Meaningless words in spams
  - From: Eric Dean
- Re: [Asrg] Meaningless words in spams
  - From: Bill Cole

Prev by Date: Re: [Asrg] Meaningless words in spams
Next by Date: Re: [Asrg] Meaningless words in spams
Previous by thread: Re: [Asrg] Meaningless words in spams
Next by thread: Re: [Asrg] Meaningless words in spams
Index(es):
- Date
- Thread