RE: [Razor-users] Razor Agents and Future.

[vipul]

Title: RE: [Razor-users] Razor Agents and Future.

> Sounds like SpamNet is significantly more advanced than the GPLed razor
> modules.  At least in the hashes.  But I can't imagine that my spam is
> significantly different from everyone elses.  After all, it's all about
> Pharmacies, Porn, Morgages, and Body Enhancements.  Sometimes all at
> once! ;)


Whether a spam "looks" the same as its randomized copies depends on the
"resolution" of a signature scheme. If a signature scheme generates 10K
signatures for 10K messages of a spam attack,
system is entirely ineffective in detection of this particular spam
attack. If, however, a signature scheme generates one (or a small number
of) signatures for 10K related spams, it is able to "resolve" a set of
randomized spam messages into an abstract spam attack, which can be
(simplistically speaking) filtered by correlating reports with checks.
Razor2 agents use the ehash scheme, whose resolution is about 25% and
hence the detection ratio is in the same ball park.

Other signature schemes in Razor2/SpamNet have much resolution and a the
combination of all signature schemes provides a resolution close to 100%,
which is why SpamNet clients are better at filtration.

This is also the reason for the perception of TeS latency. TeS needs
multiple reports for a signature before it can abstract a spam attack and
look at the multiple reports to infer trust and confidence values for the
signatures. If you report a spam and the next similar looking spam doesn't
get filtered, it's much more likely that the signature scheme saw it as
two different messages.

cheers,
vipul