You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2005/07/27 23:08:14 UTC
RE: rule secrecy, spammer evasion (was Re: PROPOSAL: create "Spam
Assassin Rules Project")
> -----Original Message-----
> From: jm@jmason.org [mailto:jm@jmason.org]
> Sent: Wednesday, July 27, 2005 4:50 PM
> To: Chris Santerre
> Cc: 'jm@jmason.org'; 'Duncan Findlay'; dev@spamassassin.apache.org
> Subject: Re: rule secrecy, spammer evasion (was Re: PROPOSAL: create
> "Spam Assassin Rules Project")
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Chris Santerre writes:
> > Ahhh...now I understand why you sent this. I got confused.
> I didn't read
> > this email first. I would consider this a bad rule to go by. Why?
> >
> > This IMHO is more a ratware flag. Spammers, more likely
> sock puppets, don't
> > understand or bother with this as much as the easier 'body
> content' stuff.
> >
> > So for instance if you write a rule looking for the phrase
> "buy m0rtgag3s
> > h3r3", Mr Sockpuppet can easily understand that aspect and
> change his body
> > payload to avoid.
> >
> > But I doubt many will understand the ratware setup of a
> mime boundry.
>
> OK -- agreed entirely there. The spammers can change quickly, but
> modifying ratware -- that's a lot harder.
>
> So -- in this text:
>
> > We never saved data on this. But if you ask ANY SARE
> member, they will
> > backup this claim. Or better yet, go ahead and start a new rule
> > discussion in the SATALK list. Pick a spam flag and go for
> it. See how
> > long it takes for that flag to go bye bye ;)
>
> when you said "pick a spam flag", what you really meant was "pick a
> body-text spam pattern".
Eh...I meant somthing that your average spammer could change. Like against
my unsubscribe rules *sigh* :)
>
> In that case, what about "My Wife, Jody"? That pattern was observed
> in spams going back nearly 15 years. ;)
Your married?
;)
Well we can always find an exception. I was surprised popcorn worked as long
as it did :)
I'm being a hardcase about it only because I feel it is the right way to
protect the work that goes into it. In the long run I feel it helps the SA
community better. I swear I'm not doing it to piss off D.Q. :) I completely
realise the hypocracy of an open source project being secretive, only to
release the end result to the public anyway.
--Chris