rule for new 'image' spam

[Adam Lanier <ad...@krusty.madoff.com>]

This rule seems to be catching the newest crop of 'image' spams.
Curious how it fares in other people's corpus.

MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME
0.273   1.1269   0.0000    1.000   0.71    3.200  MADF_GIF_SHORT_NAME

full     MADF_GIF_SHORT_NAME /name=\"?\d{4}\.gif\"?/i
describe MADF_GIF_SHORT_NAME Contains small spam gifs
score    MADF_GIF_SHORT_NAME 3.200 # [0.000..3.200]

Re: rule for new 'image' spam

[Theo Van Dinter <fe...@apache.org>]

On Thu, Feb 01, 2007 at 10:14:08AM -0500, Kevin A. McGrail wrote:
> This test (below) looks to me to be designed to catch all spam 0000.gif 
> through 9999.gif?  If so I would say the false positives are going to be 
> pretty high even without running it through a corpus.  Certainly it has a 
> high enough potential for FPs that a score of 3.2 is not appropriate.

It's also a full rule which makes it horrible.  Look at the mimeheader rules
which already look at graphic attachment filenames.

-- 
Randomly Selected Tagline:
"Unfortunately, the "Can't write utmp, wtmp" message, or any other
 variation is a symptom with a myriad of possible causes. The causes
 could range from a bad utmp or wtmp entry to the wind blowing slightly
 to the north." - Paul Carver

Re: rule for new 'image' spam

["Kevin A. McGrail" <ke...@thoughtworthy.com>]

Adam:

This test (below) looks to me to be designed to catch all spam 0000.gif 
through 9999.gif?  If so I would say the false positives are going to be 
pretty high even without running it through a corpus.  Certainly it has a 
high enough potential for FPs that a score of 3.2 is not appropriate.

Regards,
KAM


MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME
0.273   1.1269   0.0000    1.000   0.71    3.200  MADF_GIF_SHORT_NAME

full     MADF_GIF_SHORT_NAME /name=\"?\d{4}\.gif\"?/i
describe MADF_GIF_SHORT_NAME Contains small spam gifs
score    MADF_GIF_SHORT_NAME 3.200 # [0.000..3.200]