RE: rule secrecy, spammer evasion (was Re: PROPOSAL: create "Spam Assassin Rules Project")

[Chris Santerre <cs...@MerchantsOverseas.com>]

> -----Original Message-----
> From: jm@jmason.org [mailto:jm@jmason.org]
> Sent: Wednesday, July 27, 2005 2:46 PM
> To: jm@jmason.org
> Cc: Chris Santerre; 'Duncan Findlay'; dev@spamassassin.apache.org
> Subject: Re: rule secrecy, spammer evasion (was Re: PROPOSAL: create
> "SpamAssassin Rules Project") 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > grep MIME_BOUND_DD_DIGITS spam.log | perl -pe \
> >         's/^.*\btime=//; s/,.*$//;' > times
> > 
> > gnuplot
> > gnuplot> set terminal png
> > gnuplot> set output "dd_digits.png"
> > gnuplot> plot "times" using 1:0
> > 
> > result: http://taint.org/xfer/2005/dd_digits.png
> 
> btw to double check this, here's a better graph, of 
> hits-per-2-hours over
> that time period.
> 
>   http://taint.org/xfer/2005/dd_digits2.png
> 
> it's a bit clearer in that it uses proper axes, so you don't 
> have to work
> out the velocity of the curve to determine hit-rate; in this 
> graph, higher
> numbers = more hits in each time period, lower numbers = less. the
> horizontal scale is the same as in dd_digits.png.
> 
> (graphed with
>   gnuplot> set output "dd_digits2.png"
>   gnuplot> plot "gpdata" with boxes
> btw if anyone's curious.)

Is it quicker to restrict the number of digits it looks for?

from:
header MIME_BOUND_DD_DIGITS	Content-Type =~ /boundary=\"--\d+\"/
to
header MIME_BOUND_DD_DIGITS	Content-Type =~ /boundary=\"--\d{2,6}\"/

Or do I have that logic backwards?

--Chris