Running Spamassassin with the snfilter plugin, mostly default plus some SARE rulesets. We get almost none of the image-based spams. The SARE rulesets help with this a LOT! Especially SARE_STOCKS.
> -----Original Message----- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > Sent: Tuesday, December 12, 2006 12:43 PM > To: Message Sniffer Community > Subject: [sniffer] Re: Stock spam > > Hello Herb, > > Tuesday, December 12, 2006, 12:32:09 PM, you wrote: > > > We were seeing lots of unmarked pump and dump stock spam a > week or so > > ago but now almost non is getting thru. Sniffer is catching > most of it > > and some other declude and rbl tests are as well. > > It's interesting to see such mixed results posted. It makes > me wonder what the differences are between the systems > reporting high catch rates (which we also see, once a > campaign has been analyzed) and low catch rates. > > Also -- are the poor catch rates reported on text based > stock-push spams or image based? > > Text based stock-push leakage is not likely because we > generally catch these very fast and there are a range of > rules in place to capture new campaigns even before we've > seen them - so if you have this kind of leakage and it > persists then start looking for problems with your system > (errors, rulebase updates working, etc...) > > Image based stock-push is a problem, as is all image spam, > but we do generally get these handled pretty fast. If you > haven't already - recognize that since about mid September > the black hats have significantly shifted toward image spam, > have increased their volumes by between 4x and 20x (depending > on who you talk to), and have increased the rate at which new > campaigns are launched by at least 5x. > > If you are seeing image spam leakage check your weighting > system (if you have one) and be sure that SNF rule groups 60 > and 61 are rated highly enough to hold a message on their > own. Previously we had always advised that SNF plus at least > one other test should be required to hold a message simply > for philosophical reasons: no single test should hold a > message in order to improve accuracy. Unfortunately the > recent changes in blackhat behavior are such that SNF is > often the only test to fire on image spams so it has become > necessary to abandon that tactic in order to minimize leakage. > > Hope this helps, > > _M > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
