>-----Original Message----- >From: Adam Lanier [mailto:[EMAIL PROTECTED] >Sent: Thursday, December 09, 2004 4:04 PM >To: SA List >Subject: Soliciting advice from the list members > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >My managment has recently asked me how SpamAssassin is prepared to deal >with a number of recent trends in spam technology. This was >prompted by >a recent seminar they attended regarding spam (provided by an anti-spam >vendor who shall remain nameless). > >None of these so-called recent spam trends are new to me or probably to >anyone who deals with spam on a daily basis. However, while >drafting my >reply I had the thought that perhaps my answers would carry more weight >if I could include some quotes from other people in the industry >regarding SA's ability to handle spam utilizing these techniques. I've >done some cursory browsing through the list archives but >thought I might >solicit some fresh input from the list-members. > >These are the recent trends raised by my management: > >Hash Busting - slightly modify each copy of message to foil >'fingerprinting' techniques
Absolutely useless. We pretty much ignore it now. > >Bayes Poisoning - addition of random dictionary words This has been renamed to Bayes Fodder. As we have seen just about no impact on bayes. A properly fed bayes DB will not be hurt by this at all. Spammers waisting their time again. > >Hidden Text - using invisible text in html messages We LOVE this! We now use it to flag spam! This is an old method in spam terms. Many spammers have abandoned this because it became a flag. > >Keyword Corruption - using obfuscated text to hide keywords We have numerous OBFU rules to catch the key phrases. We don't get them all but we get a good %. And the rest is taken up by other rules. This method hasn't proven to get passed filters either. > >Tiny Messages - messages with only URL or image SURBL.org, is all I need to say. They can't get by it. URIRBL is kicking spammers in the teeth. Only way they can get by it is to ask users to copy and paste links. And lusers think twice about that. They are lazy :) > >I'd appreciate any comments on how SA handles these types of spamming >nastiness. In the last year we have seen some amazing advances in the antispam area. While it is a constant battle, we have been able to not only catchup, but block in advance. We now work on rules to flag spam that have poor corpus hits, because they are so new, that spammers haven't used them main stream. We have people ready to react to any attempt to get by filters. SARE would love for the next challenge to come up. With the combination of Bayes, RBL, URIRBL, and some custom rules from SARE, we can catch 99.99999% of spam with a low FP rate. Which leads us to the next stage of the battle. Education and punishment. Users will continue to be educated on the situation. And hopefully blackhat ISPs and registrars will be punished with the sting of being blacklisted. While we haven't killed spam yet, we are putting a serious dent in it. Trend seems to be that only the big guys are lasting, and they are trying to paint themselves as small. There are more antispam projects then I can count. Some key projects are being networked together. Reaction times are much faster. All in all, I'm happy with the results. Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
