On 1/14/2013 7:48 PM, Noel wrote: > On 1/14/2013 2:59 PM, Ben Johnson wrote: > >> I understand that snowshoe spam may not hit any net tests. I guess my >> confusion is around what, exactly, classifies spam as "snowshoe". > > Snowshoe spam - spreading a spam run across a large number of IPs so > no single IP is sending a large volume. Typically also combined > with "natural language" text, RFC compliant mail servers, verified > SPF and DKIM, business-class ISP with FCrDNS, and every other > criteria to look like a legit mail source. This type of spam is > difficult to catch. > > http://www.spamhaus.org/faq/section/Glossary#233 > and countless other links if you ask google. > >> Are most/all of the BL services hash-based? In other words, if a known >> spam message was added yesterday, will it be considered "snowshoe" spam >> if the spammer sends the same message today and changes only one >> character within the body? > > No, most all DNS blacklists are based on IP reputation. Check each > list's website for their listing policy to see how an IP gets on > their list; generally honypot email addresses or trusted user > reports. Most lists require some number of reports before listing > an IP to prevent false positives; snowshoe spammers take advantage > of this. > >> If so, then I guess the only remedy here is to focus on why Bayes seems >> to perform so miserably. > > Sounds as if your bayes has been improperly trained in the past. > You might do better to just delete the bayes db and start over with > hand-picked spam and ham. > > > > -- Noel Jones >
jdow, Noel, and John, I can't thank you enough for your very thorough responses. Your time is valuable and I sincerely appreciate your willingness to help. John, I'll respond to you separately, for the sake of keeping this organized. > Ben, do be aware that sometimes you draw the short straw and sit at the > very start of the spam distribution cycle. In those cases the BLs will > generally not have been alerted yet so they may not trigger. For those > situations the rules should be your friends. (I still use my treasured > set of SARE rules and personally hand crafted rules my partner and I > have created that fit OUR needs but may not be good general purpose > rules.) This makes perfect sense and underscores the importance of a finely-tuned rule-set. It's become apparent just how dynamic and capable a monster the spam industry is. No one approach will ever be a panacea, it seems. The advice from your second email is well-received, too. Especially the part about not killing anybody. ;) I do hope fighting spam becomes fun for me, because so far, it's been an uphill battle! Hehe. Noel, thanks for excellent responses to my questions. > Sounds as if your bayes has been improperly trained in the past. > You might do better to just delete the bayes db and start over with > hand-picked spam and ham. I hope not, because this is my second go-round with the Bayes DB. The first time (as Mr. Hardin may remember), auto-learning was enabled out-of-the-box and some misconfiguration or another (seemingly related to DNSWL_* rules) caused a lot of spam to be learned as ham. With John's help, I corrected the issues (I hope), which I'll detail in my reply to John. Thanks again, -Ben
