Paul Bijnens wrote:
On 2007-03-05 20:07, Dennis Peterson wrote:
Paul Bijnens wrote:
Be careful about using clamav with the MSRBL image-spams database!!
It seems to me like detecting the image spams with clamav signatures
are not really an improvement. In fact, it is probably dangerous!
The programs generating these spams make unique images with
variations with speckles, lines, color, size, etc making the image
signature unique for each mail sent. I still have to catch the
first real spam using the MSRBL-Image clamav signtures.
I did caught some false positives on the other hand...
How did you determine they were false positives? Their website does not
provide a context so you can't know if what you are seeing is a web
beacon image or a spacer.
Yes it is a spacer, and not a beacon image.
I downloaded and investigated the image.
E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image.
And you still don't know the context. If MSRBL pulled down 3000
messages, all spam, and they all contained this image which looks for
all the world like a web beacon to me, then that is a spam indicator.
Just like word certain couplings are indicators of spam, so too are
images. The image itself needn't be the spam as in image spam. It needs
only to be a valid and repeatable indicator. I consider web beacons and
the messages that contain them to be spam.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
