Loren Wilton wrote: >>The main reason is adding rules to catch or not catch viruses would wind > > up > >>diluting the scores of the spam rules. This would weaken SA's spam >>detecting abilities, in order to grant it rather lame virus catching > > abilities. > > Hum. Interesting philosophy, but I don't know that it is actually true, at > least these days.
It certainly is still valid. > If you think about it, most virui you are likely to get are from infected > zombies sending out another copy of themselves. > > Most spam that you are likely to get is from infected zombies sending out > spam. Sounds to me like the source is pretty much the same in both cases. > So source rules should work fine for either. Ahh, but see there's a difference here in angle. The source rule should not be added because of the virus, it should be added because of the spam. The overlap between patterns in viruses and spam is a real thing, and is fine. But that does not mean that spam and viruses should be treated the same. The overlap in my mind should never be taken to mean that a pattern in a virus automatically qualifies a rule as a spam rule, even if that pattern isn't present in any spam. You need a pattern to be present in spam to justify a rule as a good spam rule. Viruses alone are not enough justification. > > Also, virui are designed to have enticing subjects, or innocous subjects, so > that unsuspecting fools will open them and activate the payload. Most spam > is designed to have enticing or innocous subjects to get past spam scanners > and hopefully get fools to open them and trigger the web bugs and payload. > > Again, that sounds a lot like the same thing. No, it's not. Should one intentionally add rules which specifically detect viruses, for patterns never seen before in spam? I say no. The general SA design philosophy dictates writing rules for spam. While many of those are effective against viruses, that's accidental, and is only due to the overlap. I certainly agree no spam rule should ever be disqualified from SA because it hits viruses. It's even slightly desirable if it does. But one should NEVER add a rule to SA which isn't designed for spam catching, and only designed virus catching. That causes dilution when the perceptron is run and scores are assigned. Write the rules for the spam. Ignore the viruses completely. If you catch them, great, if not, oh well.
