[linux-elitists] Notify about using the e-mail account.

Karsten M. Self kmself@ix.netcom.com
Wed Mar 3 14:25:18 PST 2004


on Wed, Mar 03, 2004 at 04:33:55PM -0500, Aaron Sherman (ajs@ajs.com) wrote:
> On Wed, Mar 03, 2004 at 10:43:51AM -0800, Karsten M. Self wrote:
> 
> > Rulesets only get you so far.  The nice thing about the Bayesian
> > classifiers is that they are automatically adaptive.
> 
> Very true!
> 
> And that's why SA isn't just a ruleset. SA uses a large number of approaches
> including static text-matching rules; Beyesian scoring; DNS blacklists;
> distributed checksums; etc. You note later the DNSBL and checksum
> tests, but not Bayes, I just thought you might want that extra piece.

Where rulesets *are* useful, IMO, is in detecting structural or
point-of-origin aspects of mail:

  - URL obfuscation.  Effectively never needed in legitimate mail.

  - Various chaffing methods.  There are several custom filters for SA
    which address the use of HTML commens or anchors to obscure text,
    e.g.:  pe<!--asdf-->nis or via<a href="http://zgp.org/"></a>gra.
    Also widely divergent HTML and ASCII methods.  
    See "backhair" and "popcorn" which tend to pick these up.

  - Image-link based spam.  Body contains few lines of text and an
    image.

  - Known-bad URL spam.  There are lists of spam-friendly IPs and/or
    spammer-owned (or controled, or 0wn3d) domains.  Tools to update
    such lists periodically and query against them on incoming mail
    bodies can be effective.

I see the prior strategy of specifically coding in tests for specific
words and/or phrases as less critical.  Though it's convenient to have
Nigeria spam identified for me in SpamAssassin headers.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The black hat community is drooling over the possibility of a secure
    execution environment that would allow applications to run in a
    secure area which cannot be attached to via debuggers.
    - Jason Spence, on Palladium aka NGCSB aka "Trusted Computing"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040303/3bded61d/attachment.pgp 


More information about the linux-elitists mailing list