Loren Wilton writes: > > Ok, remember that "Name Wrote: :)" emails? They've completely > > changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find > > any common elements in these emails because whoever this putz is, they're > > adapting a lot. They hit us, we adapt, they immediately change tactics > > and come at us again. Now with all the brilliant minds on this mailing > > list, we really should be able to find out who this putz is and nail all > > his stuff regardless of what tactic he switches to. > > The reason they adapt is because there are detailed announcements on the > mailing list of the things that are easy to spot. The guy sending these is > on the list too, so as soon as the oversight or excessive cleverness is > announced to the world, he knows what he has to fix.
ho hum... here we go again. :( As I've noted several times recently -- these *are* being caught by rules which were developed "in the open" -- namely RCVD_FORGED_WROTE, which has been sitting in my sandbox for several weeks, was announced in a checkin message (with diffs!), and is currently "live" in both trunk and 3.1.x rule updates. The rule has been visible since: r465179 | jm | 2006-10-18 10:11:15 +0100 (Wed, 18 Oct 2006) | 1 line add rule to catch 'Subject: foo wrote:' stock spam Take a look at the graph of hit-rates over time in everyone's corpora: http://ruleqa.spamassassin.org/last-night/RCVD_FORGED_WROTE?s_detail=on&s_g_over_time=1&s_zero=on&srcpath=#over_time_anchor There's been no change in hitrates since 2006-10-18 -- in fact, in cthielen and zmi's corpora, they rose *dramatically*. Secrecy is *NOT* an essential element of rule development. It seems logical to think it is, but evidence repeatedly demonstrates otherwise. For some spammers, it may _help_ -- but not for all, so it's by no means essential. On the other hand, secrecy damages collaborative development, restricting rule refinement and improvement to a secret "cabal". It's antithetical to open source development. --j.
