Graham Murray wrote: > I have noticed that 'stock' spams hardly ever trigger the razor checks > in SpamAssassin. Razor seems effective at catching a large proportion of > every type of spam, it is just the 'stock' ones it never catches. I > report nearly all of the stock spam I receive.
If you study the stock spams, it shouldn't be too surprising that it misses some of these runs. Razor has 2 engines. e4, and e8. e8 is based on URLs, and stock spams generally don't have URLs, so it won't match at all. e4 is based on hashing part of the body text, and that detects duplicate or nearly-duplicate messages. However, some of the current stock spams are comprised of unique messages. In these runs no two emails are exactly the same, and every person gets one that's slightly different. This is done using the CPU power of the botnets that distribute them to obfuscate the message each time it is sent, and it's done differently each time the message is sent. Of course, I've also seen plenty of other stock spams lately that aren't doing uniqueness, or are using a very limited set of changes, and razor works fine on these. In Particular today's run trying to get you to invest in a yacht maker has been hitting e4 a lot. (Most of the ones for this same stock on 10/1 were unique, but today I've been getting a bunch of identical ones that razor is tearing up) Of course, none of this is to say that razor is useless. There's lots of spam detection techniques out there, and all of them have a weakness somewhere. Your best bet is to use multiple tools that compliment each other to fill in the gaps. Razor is particularly useful against spams advertising a website, spams using images that don't change, or low-budget mass-runs of identical messages. It also keeps pressure on spammers to keep changing their content, which slows them down a little bit. In general I find the best tools against the "unique message" spam runs that don't contain any URLs are RBLs particularly SpamHaus XBL (or CBL). I also find that if properly trained, bayes systems work pretty well on them too. Although they mutate a lot, they use a lot of the same mutations so over time they all look the same to a bayes system. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Razor-users mailing list Razor-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/razor-users
