[unisog] SP*M Detection Methods & Processes

Russell Fulton r.fulton at auckland.ac.nz
Sat Sep 23 07:19:44 GMT 2006

Bill Martin wrote:
> So, given the architecture, (which from what I see is very close to
> what some companies are doing with their appliances) how does this
> compare to what others are doing? 

Pretty well identical to what we do.  We tag anything above 5.5 and have
been discussing deleting above some threshold.  Good to hear you are
using 10 :)   I personally delete all the tagged messages and dump
everything over 4.0 in a spam folder -- the only FPs I've been getting
are the mails that I send to admins about spy warespy ware infected
machine which include the snort alert messages...

We have been very happy with this set up and it has worked extremely
well until the recent image spam started a few months ago. Now we are
getting regular moans because most users have had virtually spam free
mail boxes for two years.   We are experimenting with OCR plug-in but I
fear this will be, at best, a temporary solution as we have already seen
images that use obscured fonts.

I have been wondering if the stock scam we have been seeing are actually
some sort of clever experiment to measure the effectiveness of different
delivery techniques.   I have received multiple copies of the same spam
encoded in several different ways or maybe it is just spammer generating
random combinations of font, colours, and headers to defeat razor detection.

The images combined with fast rotation of sending machines and throwaway
urls makes this spam very difficult to detect :(

Anyone got any success stories to report?


More information about the unisog mailing list