-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 3 Nov 2002, John Rudd wrote:
> > > Jan Korger <[EMAIL PROTECTED]> writes:
> > > > Therefore I suggest adding a rule with a negative score assigned matching
> > > > spam reports in message bodies. This is especially usefull for SAtalk,
> > > > better than whitelisting as the latter one would also all spam sent to the
> > > > list address to pass. (This is true for the AWL as well.) Such a rule
> > > > would is not very likely ever to be found in a spam message unless
> > > > spammers do try hard to bypass SA.
> > >
> > > I think that might be *way* too enticing for spammers. The solution is
> > > to just exempt SAtalk and other spam-related mailing lists from spam
> > > filtering.
> >
> > That's not a good solution, it's a workaround. I understand the
> > distinguishing between spam and spam related/quoting mails is hard, if not
> > impossible but I don't want to workaround this by whitelisting (or
> > not passing to SA at all) SAtalk because this allows any spam sent to the
> > list to reach me unfiltered and so far this was my first false positive
> > on SAtalk, so it isn't a big problem anyways. I'll keep the rules in my
> > personal SA config, so no spammer will know anyways.
> >
>
> [...]
> The problem with your logic is that ... how do you know spammers aren't
> reading SAtalk? "Hey, we can get around at least SOME people's spam
> filtering by making it look like a quoted report!"
I was talking about the personal rules on my machine. I agree, I told
potential spammers reading SAtalk how to bypass my particular SA but
spammers are not interested in particular person. The work to create a new
type of spam message just to bypass one single filter does not pay off. If
they were interested in a particular person, they'd send something like
Dear Mr. Korger,
we offer ....
...
...
Sincerelly
....
CEO of ....
This would not be caught by any SA rule or any other spam filter anyway.
They don't, the try to reach the masses, knowing that if only a small
percentage will actually be attrackted by this, the bulk mail pays off.
So, I agree, if we make this a SA rule and if more and more sites (with a
lot of users) run SA, spammers will try to abuse this to get through SA,
i.e. to score low, i.e. get negative scores. But, this is true for any SA
rule with negative scores, such as User-Agent: Mutt or PGP signatures. If
someone wants to get through SA, he can. Everyone can get the newest (or
any) version of SA and check any message before sending it to optimize the
message to get a low score. If this becomes common among spammers, there's
little we can do against this. Of course, DNSBLs and razor will still work
but all the body checks might not work if the spammer considered them when
writing his message unless the spammer does actually need to use any of
the common spam phrases to advertise his product. I guess its hard to sell
porn without dropping any porn related words.
I guess the main reason for any spam filter to work is that as long as the
usage percentage is below 50% the spammer is better off sending twice the
amount of messages then modifying his spam not to be filtered. Furthermore
I think that those doing extensive spam filtering will not be very likely
to buy something advertised in a spam message. So probably those who do
spam filtering themselves aren't very interesting to spammers anyway, so
the only reason to trick SA into not tagging spam are side-wide SAs, I
guess.
> And the other side of the coin is ... how many spam messages (not reports
> from list members talking about a spam they caught) have you seen come
> through SAtalk? I have yet to see one. It could happen, sure, but I don't
> consider it to be any more likely than spammers trying to write better
> spam by using SA themselves and reading SAtalk to see what people are doing
SAtalk is an open mailing list. The address can be found somewhere on the
web. Therefore it can be spider. Writing and running a spider looking for
/[\w-\.]+@[\w-\.]+\.[A-Z]{2,4}/i seems more effective to me than rewriting
any single spam message.
> to augment their SA installation. In fact, for that reason, I would expect
> any spammer that finds out about this list to specifically not spam the
> list, but instead use it as a resource for writing better spam. It's not
> like anyone on this list is a potential customer.
Agree. You wouldn't send a spam message explicitly to this list, but
sending messages to a particular (mailling list) address, even if
trying to sell or advertise something, is not what we normally call spam.
We expect spam to be sent the same message to thousands of users not
knowing or caring who they are.
Jan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQE9xWXLY6Nk2Nv6ZRcRArUCAKCOlST2RaKfNRJXEnyjRlsi8lpClACggIiH
752YW3k7fxgFKNmc1aOoRwc=
=7N/0
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
