[Spambayes] RE: whitelisting

[Cedric Beust]

> From: Tony Meyer [mailto:tameyer at ihug.co.nz] 

> > True, but we are trying to block spam, not viruses.
> [...]
> > One tool for each purpose.
> 
> While I agree with this in principle, sometimes something 
> that is good at (and aimed towards) one thing, just happens 
> to do another really well.
> There's nothing much in SpamBayes that's aimed at picking 
> viruses (there are one or two tokens that are easy to spot, 
> IIRC), but it does quite well at spotting them anyway (since 
> they're often more homogenous than spam anyway).

That's very true, it's always good to see a virus being caught in my Junk folder.

If it's a direction that you guys would like to explore, I would be interested in
discussing it further.  On top of regular Bayesian selection, there are a few trends
in viruses that would be easy for something like SpamBayes to exploit.

For example, I noticed a recent trend in viruses to show a URL in clear text while the href points
to something different, typically a cid: inside the email, which happens
to be the start of the payload, often in the form of a .scr or other
executable-like.

Which leads to another potential clue differentiating spam from viruses:  viruses
will have URL's that point inside the email while spams refer to URL's on 
the Internet.

> I don't know what the future holds, but if it's more of these 
> compromised machines, then whitelisting will become less and 
> less effective. 

I totally agree that whitelisting is useless to block viruses since
they use address books to spoof From: addresses.  Spam is different, though,
since the From: address it typically totally made up.

Interesting stuff!

-- 
Cédric
http://beust.com/weblog