Matt (but not just to Matt), I don't understand your reply (though I am
deeply in your dept for the work you do for this community). The sample
emails that Nigel posted are identical in content, including
obfuscation. I've noted the same situation. Yet, the scoring is really
different. On the low scoring ones, DCC and RAZOR2 didn't hit, and the
BAYES score is different. The main differences are in the headers'
different forged From and To addresses. I thought these samples were
worthy of deeper analysis.
Sincerely,
Andy Figueroa
Matt Kettler wrote:
Nigel Frankcom wrote:
Hi All,
Does anyone have any idea why there are such scoring disparities
between these two emails? I've been seeing a few of these creep
through lately.
http://dev.blue-canoe.net/spam/spam01.txt
http://dev.blue-canoe.net/spam/spam02.txt
http://dev.blue-canoe.net/spam/spam03.txt
http://dev.blue-canoe.net/spam/spam04.txt
More to the point with these is why are they not hitting any of the
drugs rules?
There's a few million obfuscation methods, and the rules can't always
cover em all.
The examples you posted are using "duplicated letters", as well as
inserted underscores.
The old Antidrug rules (part of xx_drugs.cf now) that I wrote will deal
with the underscores, and a wide range of character substitutions, but
only a few special-cases of insertions.
It's taken the spammers a long time to figure that out, but it appears
they finally have.
I used to have to update the set constantly, but lately I've been a bit
too busy with real life.
