>-----Original Message----- >From: Andy Jezierski [mailto:[EMAIL PROTECTED] >Sent: Monday, May 17, 2004 2:02 PM >To: [EMAIL PROTECTED] >Subject: Re: Bayes Poison detection > > > > > > >"Jeremy Kister" <[EMAIL PROTECTED]> wrote on >05/17/2004 >12:07:43 AM: > >> As we've all been getting a lot more spam containing bayes >poison, i was >> pondering a way to detect it. >> >> I was thinking: >> 20+ words (50+ words?) >> no numbers, newline, comma or period >> same case ? >> >> the simple rule: >> rawbody BAYES_POISON_01 /([a-z]+\s+){20}/ >> seems to do the trick >> >> >> can someone test this against a good corpus to see if it's a good >indicator >> or not ? >> >> If it is a good indicator, then not only could it add >points, but perhaps >> the sa-learn process could ignore messages (or a part of the >messages) >which >> match. >> >> >> Jeremy Kister >> http://jeremy.kister.net/ >> Argus: The World's Most Advanced Monitoring Software: >> http://argus.tcp4me.com/ >> > >My bayes likes poison!! Yum, yum, yum. > >I don't think the poisoning is doing a bit of good. Most of my spam is >flagged with Bayes_99 with no FP's. > > >Andy
SARE had done some experiments with a custom eval that would also check for 20-50 words without "tie in" words like : a, at, is, the, of, on, that, have, had, and,....... It had mixed results. We moved on because we also felt that bayes poison was useless. Maybe Ninja 'F' will take a look at it again. Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
