You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2005/07/27 23:08:14 UTC

RE: rule secrecy, spammer evasion (was Re: PROPOSAL: create "Spam Assassin Rules Project")


> -----Original Message-----
> From: jm@jmason.org [mailto:jm@jmason.org]
> Sent: Wednesday, July 27, 2005 4:50 PM
> To: Chris Santerre
> Cc: 'jm@jmason.org'; 'Duncan Findlay'; dev@spamassassin.apache.org
> Subject: Re: rule secrecy, spammer evasion (was Re: PROPOSAL: create
> "Spam Assassin Rules Project") 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Chris Santerre writes:
> > Ahhh...now I understand why you sent this. I got confused. 
> I didn't read
> > this email first. I would consider this a bad rule to go by. Why?
> > 
> > This IMHO is more a ratware flag. Spammers, more likely 
> sock puppets, don't
> > understand or bother with this as much as the easier 'body 
> content' stuff. 
> > 
> > So for instance if you write a rule looking for the phrase 
> "buy m0rtgag3s
> > h3r3", Mr Sockpuppet can easily understand that aspect and 
> change his body
> > payload to avoid. 
> > 
> > But I doubt many will understand the ratware setup of a 
> mime boundry.
> 
> OK -- agreed entirely there.   The spammers can change quickly, but
> modifying ratware -- that's a lot harder.
> 
> So -- in this text:
> 
> > We never saved data on this. But if you ask ANY SARE 
> member, they will
> > backup this claim. Or better yet, go ahead and start a new rule
> > discussion in the SATALK list. Pick a spam flag and go for 
> it. See how
> > long it takes for that flag to go bye bye ;) 
> 
> when you said "pick a spam flag", what you really meant was "pick a
> body-text spam pattern". 

Eh...I meant somthing that your average spammer could change. Like against
my unsubscribe rules *sigh* :) 

> 
> In that case, what about "My Wife, Jody"?  That pattern was observed
> in spams going back nearly 15 years. ;)

Your married? 


;)

Well we can always find an exception. I was surprised popcorn worked as long
as it did :) 

I'm being a hardcase about it only because I feel it is the right way to
protect the work that goes into it. In the long run I feel it helps the SA
community better. I swear I'm not doing it to piss off D.Q. :)  I completely
realise the hypocracy of an open source project being secretive, only to
release the end result to the public anyway. 

--Chris