Loren Wilton wrote: > Taking a quick look at the first one (and I wish you would post as > text rather than html next time!) I see some interesting things that > will probably hold for some time:
It's worth noting that all (that I've seen) are To: sales@<mydomain>. Some (but not all) have the I<->l substitution (usually mid-word, resulting in uppcase amongst lower) -- possible rule fodder. I've got a handful here (all of which score > 5 with BAYES_99, save one) that have some other characteristics. The one that slips by scores: 1.7 BAYES_80 BODY: Bayesian spam probability is 80 to 90% [score: 0.8904] As an aside, bogofilter and spamprobe (trained more recently with same spam, and subset of ham used to train SA bayes) both tag it as definite spam. They don't seem to be going to any great length to hide, which could be why they're so successful. It's a topic that isn't altogether out of place on many of my list subscriptions. Could it be the fact that they're NOT particularly stealthy (my examples anyhow) that's working in their favor? The latest is slightly different, with a "drive thousands to your website" subject. My samples have been run through anomy sanitizer (old procmail rule set), but are otherwise intact. I'll gladly send them to anyone interested. I'll also gladly send along dumps from bogofilter and spamprobe listing bayes term scoring. From recent postings, I'm not sure if simply attaching/posting samples on-list is acceptable. I'm still puzzled why these seem fairly common, yet bayes training doesn't seem to be stopping them. I'm equally puzzled as to why they're somewhat SA bayes-resistant, yet fall so easily to other bayes tools. I don't want to sounds as if I'm advocating just using bayes. SA has been WONDERFUL on bringing my bayes tools up to speed quickly. - Bob
