Re: rule secrecy, spammer evasion (was Re: PROPOSAL: create "Spam Assassin Rules Project")

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Chris Santerre writes:
> Ahhh...now I understand why you sent this. I got confused. I didn't read
> this email first. I would consider this a bad rule to go by. Why?
> 
> This IMHO is more a ratware flag. Spammers, more likely sock puppets, don't
> understand or bother with this as much as the easier 'body content' stuff. 
> 
> So for instance if you write a rule looking for the phrase "buy m0rtgag3s
> h3r3", Mr Sockpuppet can easily understand that aspect and change his body
> payload to avoid. 
> 
> But I doubt many will understand the ratware setup of a mime boundry.

OK -- agreed entirely there.   The spammers can change quickly, but
modifying ratware -- that's a lot harder.

So -- in this text:

> We never saved data on this. But if you ask ANY SARE member, they will
> backup this claim. Or better yet, go ahead and start a new rule
> discussion in the SATALK list. Pick a spam flag and go for it. See how
> long it takes for that flag to go bye bye ;) 

when you said "pick a spam flag", what you really meant was "pick a
body-text spam pattern". 

In that case, what about "My Wife, Jody"?  That pattern was observed
in spams going back nearly 15 years. ;)

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFC5/N4MJF5cimLx9ARAtfzAJ9QzC6+PyDRdfA7j+Wnta5r+Alk7gCfR0D+
kZKPc/TJdGTtKianbEJBGbE=
=Byti
-----END PGP SIGNATURE-----