Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for tilting the scales on more occurrences than other image types. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Tuesday, June 06, 2006 10:44 AM Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam > Hello Jonathan, > > I urge caution from experience... png images are not entirely rare, > and the cid: tag format in the regex is also common. > > I'd love to be wrong - but I recall false positives with similar > attempts in the past. > > Is there more to this than the two elements I just described - > something I'm not seeing? > > _M > > Tuesday, June 6, 2006, 10:19:36 AM, you wrote: > > > Nick, very good method. I have added that to my configuration as well now. > > > - Original Message - > > From: "Nick Hayer" <[EMAIL PROTECTED]> > > To: "Message Sniffer Community" > > Sent: Tuesday, June 06, 2006 10:05 AM > > Subject: Re: [sniffer]Numeric spam topic change to png stock spam > > > >> Hi Markus - > >> > >> Markus Gufler wrote: > >> > >> >There is also another type of spam (stock spam now with attached png > > image) > >> >this morning passing our filters. > >> > > >> I am catching these fairly easily - > >> a combo filter - > >> #combo-stockspammer-png.txt > >> SKIPIFWEIGHT26 > >> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY > >> BODY5CONTAINSContent-Type: image/png; > >> # > >> The body regex is this: > >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > >> > >> -Nick > >> > >> > > >> > > >> > >> > >> # > >> This message is sent to you because you are subscribed to > >> the mailing list . > >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > >> Send administrative queries to <[EMAIL PROTECTED]> > >> > > > > > > # > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > > Send administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, Thanks. That's all good then :-) _M Tuesday, June 6, 2006, 10:46:55 AM, you wrote: > > Pete McNeil wrote: > > Hello Nick, > What is your false positive rate with that pattern? > > Hmm lets go to the MDLP for yesterday :) > > SS HH HS SH SA SQ > REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 > COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 > > The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] > The png combo I just did it last night when I first saw the spam. > So far I have not see any fp. [ I combo it (the regex) with other > tests as well - which makes it much more reliable.] > > -Nick > > > > > _M > Tuesday, June 6, 2006, 10:05:18 AM, you wrote: > > > Hi Markus - > > > > > > Markus Gufler wrote: > > > > > > > There is also another type of spam (stock spam now with attached png image) > this morning passing our filters. > > > I am catching these fairly easily - > a combo filter - > #combo-stockspammer-png.txt > SKIPIFWEIGHT26 > TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY > BODY5CONTAINSContent-Type: image/png; > # > The body regex is this: > src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > > > > > > -Nick > > > > > > > > > > > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]>To switch > to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>To > switch to the INDEX mode, E-mail to > <[EMAIL PROTECTED]>Send administrative queries to > <[EMAIL PROTECTED]> > > > > > > -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday :) SS HH HS SH SA SQ REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] The png combo I just did it last night when I first saw the spam. So far I have not see any fp. [ I combo it (the regex) with other tests as well - which makes it much more reliable.] -Nick _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common. I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: > Nick, very good method. I have added that to my configuration as well now. > - Original Message - > From: "Nick Hayer" <[EMAIL PROTECTED]> > To: "Message Sniffer Community" > Sent: Tuesday, June 06, 2006 10:05 AM > Subject: Re: [sniffer]Numeric spam topic change to png stock spam >> Hi Markus - >> >> Markus Gufler wrote: >> >> >There is also another type of spam (stock spam now with attached png > image) >> >this morning passing our filters. >> > >> I am catching these fairly easily - >> a combo filter - >> #combo-stockspammer-png.txt >> SKIPIFWEIGHT26 >> TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY >> BODY5CONTAINSContent-Type: image/png; >> # >> The body regex is this: >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ >> >> -Nick >> >> > >> > >> >> >> # >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >> Send administrative queries to <[EMAIL PROTECTED]> >> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, What is your false positive rate with that pattern? _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: > Hi Markus - > Markus Gufler wrote: >>There is also another type of spam (stock spam now with attached png image) >>this morning passing our filters. >> > I am catching these fairly easily - > a combo filter - > #combo-stockspammer-png.txt > SKIPIFWEIGHT26 > TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY > BODY5CONTAINSContent-Type: image/png; > # > The body regex is this: > src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > -Nick >> >> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>