That's excellent data! Mind if I forward that around to another list or two?
The "hops" measurement is particularly interesting. Have you got that implemented as a working rule, in the field? is it expensive? --j. Mark Martinec writes: > mouss wrote: > > since most filters skip large messages, it may be tempting for spammers > > to send large messagess: > > I did some statistical analysis few weeks ago with SA 3.1.1 > (SA called from amavisd-new, but that is beside the point). > > Please see: > > http://www.ijs.si/software/amavisd/fig4.gif > Shows spam score vs. mail size as a scattergram > > http://www.ijs.si/software/amavisd/fig5.gif > Shows elapsed time for mail checking vs. mail size > (shown is total time, but >90% of it reflects processing > within SA and its plugins) > > As a curiosity (but off topic), harvesting results from p0f > (passive operating system fingerprinting), here are two more: > > http://www.ijs.si/software/amavisd/fig1.gif > Spam score vs. IP distance in hops (our server is > in European academic network Geant) > > And perhaps most interesting of all (by again OT): > > http://www.ijs.si/software/amavisd/fig2.gif > Spam score distribution as a percentage of all mail, > separate by each sending mail client's operating system. > > Mark
