I've found myself that the subject test is only slightly useful in the scheme of things, but while I know a false positives will happen, I haven't seen any under that configuration in the last day. I've now stopped monitoring that test as a result. BTW, it's very good to know that this isn't picking up FP's from mail mainly used by other languages, albeit western ones. I see very little real stuff from overseas, so that is hard for me to test.
My feeling is that once you achieve moderate success with Declude, each successive step is that much harder to make. Combined with the body gibberish (which often also trips the subject gibberish) and a test for obfuscation, this makes a very noticeable impact. They're all pretty much the same test anyway because they're all markers for the same school of thought in spamming. The types of folks that send from open relays or wormed machines are also the types of folks that use a lot of these techniques. I'm now able to fail some messages without any header errors because they combine subject spaces, obsfucation, gibberish and comments. These guys seem more concerned with masking the content of their messages than they are with masking their masking techniques. I'm fine with that because I think looking for techniques produces fewer FP's than looking for content.
So in general, I see all of these things as the same test, and most hits will score on at least one other test mentioned. It's hard to say that it didn't have an impact when you could say the same about SUBJECTSPACES for instance...something often combined with GIBBERISHSUB.
Right now all I am looking for is loose change in the couch, and I found a few more pennies. I've fixed the major problems with the GIBBERISH body filter on my machine, and that makes a much bigger impact on results than the subject filter because it picks up fake boundaries and links that spammers are using even when they don't include gibberish in text and comments (I didn't realize that until yesterday, but it accounts for a lot of the hits). FP's are higher, but nothing has failed my machine under the new configuration because of that test. I'll post the updated filter once I have 1,000 hits and can put together some numbers to go along with it.
Thanks,
Matt
Markus Gufler wrote:
Matt, here my observations about GIBBERISHSUB:
I've tested this now for over a day on our mailserver (which handles mainly messages written in german and italian) Haven't found any FP, but any spam-message triggering this test has already recieved more then 200% of our hold weight.
However: good test!
Markus
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
