[Spambayes] Latest spammer trick stymied
Richard Jowsey
richard at jowsey.com
Tue Apr 1 08:52:35 EST 2003
> >> We definitely should NOT crawl the site, just in case it really
> is an >> innocent url. The load can crush a site, particularly if
> it's >> hosted.
>
> Richard> Nah. You need to throw thousands of requests at a
> half-decent Richard> web server before it gives up the ghost. And
> if they're sending Richard> out 10 million mail pieces, they
> should expect their http Richard> server to take some load. These
> are definitely NOT innocent Richard> emails. They come from bogus
> senders, have minimal headers Richard> (deliberately), and contain
> *nothing* but a url. Which points, Richard> via redirect
> naturally, to an incest porn or get-a-huge-penis Richard> site,
> etc.
>
> You can't make that judgement beforehand. If the site you are poking
> is a valid site and the email received was not spam, none of what you
> said holds. If I remember correctly, you said this was only to be
> performed in circumstances where certain criteria were met, none of
> which included a conclusion the mail was spam.
Skip, I agree absolutely! We certainly can't assume that an email
containing only a singleton url is spam. NB: when friends or
colleagues send me a single url, as they do, such messages already
get a "good" classification. No problem there.
But the same kind of message from a spammer ends up as "unsure",
primarily because there's simply not enough clues to be definite
about its classification. Actually, what prompted this whole question
was a "complaint" from one of my proxy beta testers about one of
these spams. He reckoned it was "bloody obvious" that the message was
junk. The classifier disagreed. I went looking for a simple solution!
My *only* criteria for poking the url (rather ironic choice of verb,
considering the sites in question ;-) are:
1. an "unsure" classification
2. number of clues < 150 (or whatever max_discriminators one has)
3. a URL in the message body
If the url happens to point at an "innocent" site, this extra bit of
information-gathering will simply tip the message over to the "good"
bucket. A Good Thing, no harm done. And, in this (unusual) case,
there's definitely no extra load happening at the web server,
precisely because there weren't millions of this email getting
blasted out...
HTH!
Cheers,
Richard
More information about the Spambayes
mailing list