On 2007-03-07 02:16, Dennis Peterson wrote: > Paul Bijnens wrote: >> On 2007-03-05 20:07, Dennis Peterson wrote: >>> Paul Bijnens wrote: >>> >>>> Be careful about using clamav with the MSRBL image-spams database!! >>>> >>>> It seems to me like detecting the image spams with clamav signatures >>>> are not really an improvement. In fact, it is probably dangerous! >>>> >>>> The programs generating these spams make unique images with >>>> variations with speckles, lines, color, size, etc making the image >>>> signature unique for each mail sent. I still have to catch the >>>> first real spam using the MSRBL-Image clamav signtures. >>>> I did caught some false positives on the other hand... >>> How did you determine they were false positives? Their website does not >>> provide a context so you can't know if what you are seeing is a web >>> beacon image or a spacer. >> >> Yes it is a spacer, and not a beacon image. >> >> I downloaded and investigated the image. >> >> E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image. > > And you still don't know the context. If MSRBL pulled down 3000 > messages, all spam, and they all contained this image which looks for > all the world like a web beacon to me, then that is a spam indicator. > Just like word certain couplings are indicators of spam, so too are > images. The image itself needn't be the spam as in image spam. It needs > only to be a valid and repeatable indicator. I consider web beacons and > the messages that contain them to be spam.
OK, so I just sent the decision to the msrbl mailing list: And got this answer: >> Is this another false positive, or is this a beacon image used by >> spammers? >> >> MSRBL-Images/0-IYC > > Hi, > Thanks for the report, but this was removed from the signature file about 5 > days ago. So this classifies those "small" images 1x1, 1x2 etc, as false positives by the maintainers themselves. Leaving these out (yes, all those "too small" images were removed from the signature files now), do you still have some hit on some image, and if yes, which one? In all the months I had msrbl-Images added to the list of clamav signatures, I did not encounter one single real spam, only 6 false positives. But I'm not running a high traffic mail server. I'm interested in results catching real spam on some more substantial servers. All the hits you got in the list you gave classify as false positives in my opinion. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
