[Spambayes] RE: whitelisting
Cedric Beust
cbeust at bea.com
Tue Apr 13 12:25:35 EDT 2004
> From: Tony Meyer [mailto:tameyer at ihug.co.nz]
> > True, but we are trying to block spam, not viruses.
> [...]
> > One tool for each purpose.
>
> While I agree with this in principle, sometimes something
> that is good at (and aimed towards) one thing, just happens
> to do another really well.
> There's nothing much in SpamBayes that's aimed at picking
> viruses (there are one or two tokens that are easy to spot,
> IIRC), but it does quite well at spotting them anyway (since
> they're often more homogenous than spam anyway).
That's very true, it's always good to see a virus being caught in my Junk folder.
If it's a direction that you guys would like to explore, I would be interested in
discussing it further. On top of regular Bayesian selection, there are a few trends
in viruses that would be easy for something like SpamBayes to exploit.
For example, I noticed a recent trend in viruses to show a URL in clear text while the href points
to something different, typically a cid: inside the email, which happens
to be the start of the payload, often in the form of a .scr or other
executable-like.
Which leads to another potential clue differentiating spam from viruses: viruses
will have URL's that point inside the email while spams refer to URL's on
the Internet.
> I don't know what the future holds, but if it's more of these
> compromised machines, then whitelisting will become less and
> less effective.
I totally agree that whitelisting is useless to block viruses since
they use address books to spoof From: addresses. Spam is different, though,
since the From: address it typically totally made up.
Interesting stuff!
--
Cédric
http://beust.com/weblog
More information about the Spambayes
mailing list