On 9/19/2011 12:46 PM, Bernd Petrovitsch wrote: > On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote: >> On 9/19/2011 12:16 PM, Michael Orlitzky wrote: >>> On 09/19/11 12:04, Bowie Bailey wrote: >>>> He is not trying to match the IP address. He is trying to match an >>>> unusual way of presenting the IP address that seems to occur primarily >>>> in spam. >>>> >>>> Whether this is something that should be done in ClamAV or would be >>>> better done by something like SpamAssassin is another question altogether. >>>> >>> Fair enough. I was just unhappy with the idea that "0.0.0.1" is somehow >>> less obfuscated than "1". >> I would tend to say that "1" is fairly well obfuscated. Most people -- >> even most technical people -- would not immediately see that as an IP >> address. We have been conditioned to see IP addresses as XX.XX.XX.XX. > That's the whole problem as both are legal and correct (as in > RFC-compliant) form. > And you want to flag it as "spam"?
Since when does "legal and correct" have anything to do with whether an email is spam? If a certain marker appears in spam emails and not in non-spam emails, then there is a fairly strong case to flag emails that contain that marker as spam. It makes no difference whether that marker is something legal or not. However, I would tend to leave this type of spam detection to a dedicated program such as SpamAssassin rather than using Clam for this purpose. Clam works better with strictly-defined patterns for more obvious spam. -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
