Re: [Exim] My (wishlist) ultimate spam solution

Top Page
Delete this message
Reply to this message
Author: dman
Date:  
To: exim-users
Subject: Re: [Exim] My (wishlist) ultimate spam solution
On Fri, Mar 22, 2002 at 04:13:40PM -0800, Greg Webster wrote:
| On Fri, 22 Mar 2002, dman wrote:
| > Anyways, why don't you go rewrite it and the regex engine and the MIME
| > parsing and base64 decoding and all in C, and don't use any libraries
| > at all!, so that nothing else will need to be installed.

|
| That's exactly the point, isn't it? I don't want MIME parsing, base64
| decoding. I want something simple and unobtrusive that doesn't require all
| the stuff you are saying I need to create if I want to replace
| SpamAssassin. Well, as I have said, _I do not want to replace
| SpamAssassin_. I just want a simple way for me -to create my own rules-.


Oh, how about looking at this? Here's a snippet from a piece of spam
that I received recently :

~~~~~~~~
------=_NextPart_000_00A1_03E45A3E.C8413D83
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: base64

PGh0bWw+DQoNCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1MYW5ndWFnZSIg
Y29udGVudD0iZW4tdXMiPg0KPG1ldGEgbmFtZT0iR0VORVJBVE9SIiBjb250ZW50PSJNaWNy
b3NvZnQgRnJvbnRQYWdlIDUuMCI+DQo8bWV0YSBuYW1lPSJQcm9nSWQiIGNvbnRlbnQ9IkZy
b250UGFnZS5FZGl0b3IuRG9jdW1lbnQiPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1U
eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjUyIj4NCjx0aXRs
~~~~~~~~

Here's what it says if I decode the base64 and render the HTML :

~~~~~~~~
THE COMPLETE FAX MARKETING SYSTEM!

1 Million Fax Leads & Fax Broadcasting Software
Only $149!

Fax broadcasting is the hot new way to market your product or service. You
can not beat fax broadcasting for cost effectiveness and reliability. Get
your information out to the masses for the lowest price.

People are 4 times more likely to read a fax than junk mail!
~~~~~~~~

This is obviously and easily identified as spam; but only after the
encoding has been decoded. In working with SA I've seen how the mail
structure must be parsed and understood in order to usefully or
reliably determine whether or not a message is spam. SA (v2.11) did
identify this message as being extrememly spammy. I only found it
because I file spam-tagged messages into a certain folder and I went
looking there for an example.

| > Not if you have to re-invent the wheel.

|
| See above.


Ditto.

| > It is much less install crazy to write everything in machine code (in
| > binary) yourself at the front panel[1] :-).

|
| Note above. I do not appreciate being told that this was my intention.


I was over-exaggerating to over-emphasize my point. See the smiley?
It wasn't meant to be taken literally.

| Obviously discussion of the _possibilities_ of exim directors is not
| welcome by you on an exim discussion list.


Only when the task is much more complicated and other software already
exists that does the job and plugs in rather nicely.

| > | I don't want all the features of SpamAssassin,
| >
| > Ok, now there's a valid reason for not using it.

|
| So why are you trying to tear me down if this is what I want?


The rest of your message indicates that you do want the features of
SA, you just don't want the message modification to occur. A
commandline option will tell SA to report its conclusion via the exit
code of the process instead of returning a modified message at all.

| > | I just want some simple filtering like this file and director would
| > | provide.
| >
| > You can write a filter to test for various things and react how you
| > want. However if you're going to write a bunch of regex-based tests
| > to identify spam, why not use SA's tests and scores? They've been
| > tested by many people already. You can adjust or remove the tagging
| > that SA does in the config file.

|
| Because I want to make my own adjustments.


SA provides for this. You can create your own tests and scores for it
to apply. If you specify a score of 0 for a test it won't even bother
wasting system resources to perform that test.

| Maybe even do it from scratch for the specific simple tasks that I
| want.


I think the example above shows that, though sometimes it can be,
Internet mail isn't quite that simple.

| You know, people could have just kept running the various commerical
| UNIX's and Windows OS's. There are reasons (even if just for
| learning) for doing things that have already been done.


Certainly. Learning can also be done by observing an existing system.
Even now SA doesn't wholly parse and decode all MIME messages, and
that causes it to allow false negatives in. It is one of the things
in the bug list that needs to be done. For something that is
complicated enough, it is usually better to build upon an existing
system or framework than to reinvent the wheel. If there are
technical grounds demonstrating that the existing system is flawed in
some way, then by all means fix it by starting over. I don't think
that is the case here.

-D

--

Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
        Proverbs 19:21