From: "Justin Mason" <[EMAIL PROTECTED]>
Loren Wilton writes:
> Ok, remember that "Name Wrote: :)" emails? They've completely
> changed. Now it's "hi username" instead. Joy, oh joy. Can anyone find
> any common elements in these emails because whoever this putz is, they're
> adapting a lot. They hit us, we adapt, they immediately change tactics
> and come at us again. Now with all the brilliant minds on this mailing
> list, we really should be able to find out who this putz is and nail all
> his stuff regardless of what tactic he switches to.
The reason they adapt is because there are detailed announcements on the
mailing list of the things that are easy to spot. The guy sending these is
on the list too, so as soon as the oversight or excessive cleverness is
announced to the world, he knows what he has to fix.
ho hum... here we go again. :(
As I've noted several times recently -- these *are* being caught by rules
which were developed "in the open" -- namely RCVD_FORGED_WROTE, which has
been sitting in my sandbox for several weeks, was announced in a checkin
message (with diffs!), and is currently "live" in both trunk and 3.1.x
rule updates.
The rule has been visible since:
r465179 | jm | 2006-10-18 10:11:15 +0100 (Wed, 18 Oct 2006) | 1 line
add rule to catch 'Subject: foo wrote:' stock spam
Take a look at the graph of hit-rates over time in everyone's corpora:
http://ruleqa.spamassassin.org/last-night/RCVD_FORGED_WROTE?s_detail=on&s_g_over_time=1&s_zero=on&srcpath=#over_time_anchor
There's been no change in hitrates since 2006-10-18 -- in fact, in
cthielen and zmi's corpora, they rose *dramatically*.
Secrecy is *NOT* an essential element of rule development. It seems
logical to think it is, but evidence repeatedly demonstrates otherwise.
Indeed - if you have a rule that depends on secrecy then it is too
fragile to have a long life. Good rules have long usable lifetimes.
{^_^}
