IETF Logo Mail Archive

Re: [Asrg] "Uncaught spam" research project

Aaron Wolfe <aawolfe@gmail.com> Fri, 30 April 2010 17:05 UTC

Return-Path: <aawolfe@gmail.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB3D63A6990 for <asrg@core3.amsl.com>; Fri, 30 Apr 2010 10:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yO2Ik4eaVk9W for <asrg@core3.amsl.com>; Fri, 30 Apr 2010 10:05:51 -0700 (PDT)
Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by core3.amsl.com (Postfix) with ESMTP id D36033A6928 for <asrg@irtf.org>; Fri, 30 Apr 2010 10:05:50 -0700 (PDT)
Received: by gyh20 with SMTP id 20so200699gyh.13 for <asrg@irtf.org>; Fri, 30 Apr 2010 10:05:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=s0Eli9sxa9PxUWGTxXsKaegDUK4GQaGo32ronGpposw=; b=LxmLF32LOL/fxmdWQ9YAgf1954qBEpg5iSDmLQrbk8K9Ah8P8J2W/B84NITj+PtEAG Si1QAVW8AcCrP8C7S7iVHphWKPvBLEf7cTsF9VwiAED02mcx5aVDhDvCw/sse2ZxVdT4 zkZVhUhdnhHT6e4y4zLap8RL4Oja+SLCwjZG4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=jjZdNLW/OVZQ9pCwf/HR1qrKoqL6hS6gqA9ENF0gS8C9P7H8dbA6a6KapMQnr/MPGA QmrHuMMkmxCzSuZ4q3o1JcBUF6qnO88gFBRDEmKJgYNg02EmH5S1/aU2gzJUe2Zr5GpH EzyWiRJtdVTEBJIY8cXOtUOqFi0KUbGgrox+I=
MIME-Version: 1.0
Received: by 10.91.131.7 with SMTP id i7mr596300agn.35.1272647135450; Fri, 30 Apr 2010 10:05:35 -0700 (PDT)
Received: by 10.90.73.18 with HTTP; Fri, 30 Apr 2010 10:05:35 -0700 (PDT)
In-Reply-To: <18B53BA2A483AD45962AAD1397BE1325379ED80C30@UK-EXCHMBX1.green.sophos>
References: <18B53BA2A483AD45962AAD1397BE1325379ED80C30@UK-EXCHMBX1.green.sophos>
Date: Fri, 30 Apr 2010 13:05:35 -0400
Message-ID: <q2ke44ad6641004301005m664ef26cs48d10bfee93f32b@mail.gmail.com>
From: Aaron Wolfe <aawolfe@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Asrg] "Uncaught spam" research project
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 17:05:52 -0000

On Fri, Apr 30, 2010 at 10:37 AM, Martijn Grooten
<martijn.grooten@virusbtn.com> wrote:
> I intend to do a little project where I send a lot of spam[1] through a large number of mostly commercial[2] spam-filters (which I'm doing anyway) and then look at differences between spam that's caught by all filters, spam that is misidentified by one filter and spam that is misidentified by more than, say, 25% of the filters. All with the purpose of finding where spam filters can be improved.
>

In my experience, you will find more variation in performance between
a properly configured / maintained spam filter and a system left at
defaults and forgotten about than you will find between different
vendors.  Filters will use a variety of tactics to detect spam but
most are common and unless a vendor has implemented them incorrectly
they should perform identically.  For instance RBLs, smtp syntax
checks, dns checks, IP connection characteristics are all going to be
common. There is variation in how the results of these things are
used, but this is often configurable and needs to be tweaked for a
particular type of site for best performance anyway.

Are you planning to compare these systems in their default
configurations?  If so your results may be more an indicator of which
vendor's defaults work best for your system than anything else.

> Things I want to look at include the location of sender's IP, the character se, the size of the body, the presence of an inline image (or attachment in general), SPF[3] and whether the message is caught when it is resent after an hour/day/week. (The latter to see if it's just a matter of signatures/blacklists not updating fast enough.) Feel free to suggest more things to look at, or make general suggestions for the project. I'm also happy to hear the suggestion not to run (or publish) the research at all. I am aware that this could also give spammers some insight in which techniques are more likely to evade filters.
>
> Thanks.
>
> Martijn.
>
> [1] Spam in the context of this email is spam sent to spam traps. So the real, proper spam, not the perhaps-not-100%-CAN-SPAM-compliant spam.
>
> [2] Several of these make use of open source filters (e.g. SpamAssassin), so it's fair to say that most filters are covered. The setup does exclude techniques such as TCP fingerprinting or greylisting though.
>
> [3] I would love to include DKIM, but I can only distinguish between does have and does not have a DKIM-signature; the redacting of emails to hide the original recipient makes me unable to decide whether a present signature was actually valid.
>
>
> Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
> Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>

v2.23.0 | Report a Bug | By Email