Caution... I had a similar test in Message Sniffer some weeks ago with tragic results - too many false positives so we had to pull it. We have a mod in the works to get around this hack - including a stream filter to drop all html comments before matching.
That would be a good one for you to look at Scott if it fits in your system. It turns out that simply counting the number of comments doesn't work reliably. Neither does the comment to content ratio. There are some specific comments that can be filtered - but that's not widely effective except on repeats of the same spam run - although that does reduce the load so we tend to include those when we see the opportunity. For example, a few of the spam runs done by this technique had nursery rhymes built in (I can't quote here)... a few others looked like chunks of personal messages... The producer apparently can point the engine at a text file and have it cycle through that text to pull segments for randomly placed comments in a round-robbin fashion. Hope this helps, _M | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Friday, July 05, 2002 11:22 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Word Filters - Spammers | getting smarter | | | | >You can see - spammers are adapting their message bodies to | outsmarten | >the HEUR and the FILTER tests. | > | >(Of course, he eventually got lazy and used <!----> - and, the word | >"remove" still appears in the URL and was not URLencoded.) | > | > | > You are receiving this email as a subscr<!--dealers-->iber<br> | > to the Opt<!--dealers-->-In Ameri<!---->ca Mailin<!---->g | > Lis<!---->t. | | Yes, this is becoming more common. We are thinking about | adding a test | that checks for a high number of comments within an E-mail. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
