-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Matt,
Thursday, July 31, 2003, 5:40:06 PM, you wrote: >>As you can see there's extensive use of a white font color which >>obscures the many random words that have been inserted in order to >>subvert signature checking. MK> Actually, that kind of behavior is intended more to be bayes poison than a MK> razor avoider (although it's good at both). They've picked a random set of MK> words which are mostly "higher education" type words which will usually MK> only appear in serious emails. Since those words will likely be strong MK> non-spam tokens in a bayes database, they've just earned themselves a bayes MK> equivalent of whitelisting. MK> How often have you seen spam make use of the words like tarpaulin, scarify, MK> ethology, and posterior? Heck, scarify wasn't a word I even knew existed :) MK> Also of note it looks like the thing has some bugs in it.. it would appear MK> that $RANDOMIZE is intended to be replaced with random words, but in a few MK> spots, a $RANDOMIZE got split with a newline in between. It might be MK> interesting to do a rule to look for it which has some \s?'s added in. MK> Something like this rule (note: untested, just conceptual off the top of my MK> head) MK> body LOCAL_RANDOMIZE_SPLIT /\$R\s?A\s?N\s?D\s?O\s?M\s?I\s?Z\s?E/ Your rule worked for me -- only one match, but yes, it was a white on white spam (my HTML view didn't show ANY text or link). I've merged it with my other random text body rule: body L_b_RandomText /(\%RANDOM_TEXT|\%RANDOM_WORD|\$R\s?A\s?N\s?D\s?O\s?M\s?I\s?Z\s?E)/i describe L_b_RandomText Body contains random-text spamsign score L_b_RandomText 9.1 (My required_hits is 9) Also, since a purpose for these randomized emails is to garbage up the Bayes database, and since these spam, when auto-learned on my system, are scored in the range 15-25, I've now set > bayes_auto_learn_threshold_spam 35.0 That's low enough to still auto-learn a lot of spam (2400 messages in my corpus since end of May), but high enough to avoid spam with these anti-bayes tricks. Bob Menschel -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPypxX5ebK8E4qh1HEQL7bgCfZEtGGaxhUlP+FM7vBVl2lQSKoZMAoPn5 ZBle4GQAsjJzUbEvTXCvFPY9 =Czub -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
