You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tristan Miller <ps...@nothingisreal.com> on 2005/01/23 17:34:24 UTC
New rule suggestion: X-Face
Greetings.
I'd like to propose a new rule to help SpamAssassin decide whether or not a
given message is spam. Namely, I think SA should test for the presence of
an X-Face header. The use of X-Face enjoys some popularity amongst users
of Unix and Usenet; on the other hand, in years of checking I haven't
received a single spam mail with an X-Face header.
What does everyone else think? Anyone care to do an fgrep for "X-Face" on
their spam and non-spam corpora to see if my experience is reflective of
the general case?
Regards,
Tristan
--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you
Re[2]: New rule suggestion: X-Face
Posted by Matt Kettler <mk...@comcast.net>.
At 12:28 AM 1/24/2005, Robert Menschel wrote:
>I agree with Matt, but temper that with the realization that
>a) many of us have private rules which aren't published, and
>b) the more complex those rules are, the more reliable they can be
> (ie: they're harder for spammers to fake successfully).
Agreed with both of the above, and I do have many of them myself. Although
this is not exactly relevant as this idea is now public and known to spammers.
>c) SARE has the ability to modify our rules files quickly, so if a
> rule works well today, but spammers begin to abuse it tomorrow, by
> Wednesday we can flip the rule's score to zero or even negative,
> depending on our spam statistics.
This is true enough, but only works for those using RDJ with the SARE
rules.. I for one don't because my security background dictates that I read
the rulesets prior to installing them.
(Yes, I'm more paranoid than most. However, just because you're paranoid,
don't mean the hackers aren't after you)
Re: Re[2]: New rule suggestion: X-Face
Posted by Tristan Miller <ps...@nothingisreal.com>.
Greetings.
On Monday 24 January 2005 06:28, Robert Menschel wrote:
> If anyone knows enough about the characteristics of the X-Face header
> to enable us to create a /good/ rule about it, please let me know
> offlist, and maybe we can make something work.
The X-Face header is a 48×48 1-bit bitmap which is compressed and
ASCII-encoded using a non-standard format. If you really want to know the
details, they're probably available in the official faces distribution at
<ftp://ftp.cs.indiana.edu/pub/faces/faces/>. But because the header
contains essentially binary data of unpredictable length, I think for
SpamAssassin's purposes it would be enough to simply test for the presence
or absence of this header.
Regards,
Tristan
--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you
Re[2]: New rule suggestion: X-Face
Posted by Robert Menschel <Ro...@Menschel.net>.
Tristan,
Sunday, January 23, 2005, 9:58:15 AM, Matt responded to:
MK> At 11:34 AM 1/23/2005, Tristan Miller wrote:
>>I'd like to propose a new rule to help SpamAssassin decide whether
>>or not a given message is spam. ...
MK> The only problem with simple comp rules like this one is that
MK> spammers quickly realize it exists and start abusing the rule. ...
I agree with Matt, but temper that with the realization that
a) many of us have private rules which aren't published, and
b) the more complex those rules are, the more reliable they can be
(ie: they're harder for spammers to fake successfully).
c) SARE has the ability to modify our rules files quickly, so if a
rule works well today, but spammers begin to abuse it tomorrow, by
Wednesday we can flip the rule's score to zero or even negative,
depending on our spam statistics.
If anyone knows enough about the characteristics of the X-Face header
to enable us to create a /good/ rule about it, please let me know
offlist, and maybe we can make something work.
I've been thinking about putting together a SARE rules file for
negative scoring rules, which would get mass-checked and rescored once
or twice a week, to prevent (or at least adjust for, and maybe take
advantage of) abuse. If anyone else has ideas for rules that might be
suitable for such a rules file, again, send them off-list.
Thanks.
Bob Menschel
Re: New rule suggestion: X-Face
Posted by Matt Kettler <mk...@comcast.net>.
At 11:34 AM 1/23/2005, Tristan Miller wrote:
>I'd like to propose a new rule to help SpamAssassin decide whether or not a
>given message is spam. Namely, I think SA should test for the presence of
>an X-Face header. The use of X-Face enjoys some popularity amongst users
>of Unix and Usenet; on the other hand, in years of checking I haven't
>received a single spam mail with an X-Face header.
>
>What does everyone else think?
The only problem with simple comp rules like this one is that spammers
quickly realize it exists and start abusing the rule. Major spammers do
have access to SA, as well as this list's archives, and do carefully tune
their spam to try to evade SA. Anything that easy is giving a free partial
whitelist to the spammers.
There were "comp rules" in older versions of SA (2.5x), and then one day
spammers realized they could optimize their message headers to match
several of the comp rules and effectively whitelist themselves. Hence the
infamous "kmail + pine" messages...
http://bugzilla.spamassassin.org/show_bug.cgi?id=1808
That's why there are no more simple body-text or header based negative
scoring rules in SA anymore. The only exception is habeas, but that has a
DNSBL paired with it to track infringers vs well behaved users. Anything
forgeable is just a gimme for the enemy.