[Gross] Spammers adapt
Eino Tuominen
eino at utu.fi
Thu Feb 28 23:17:35 EET 2008
Jesse Thompson wrote:
>
> sjsms_response_grey = $X4.4.3|$N$D1000|Please$ try$ again$ later
> sjsms_response_match = $D$Y1000
>
> We haven't tried this technique in production.
I had some problems with that before. Though I think it was to do with
mailing list expansion done at the reception time. I had to configure
iMS to expand all mailing lists at the backend because of it. I have to
check old conversations on iMS list about it...
> we raised filter_bits to 25 a while ago after experiencing significant
> false positives in the bloom filters. Now, we're starting to see that
> again, so we might need to raise it again.
I remembered that, and I decided to go straight up to 26 as it's still
only a 100 megabytes of memory.
> One additional note, the bloom filter false positives tend to occur when
> there is a lot of repetition in the from/to values. You should
> doublecheck that your match percentage is not actually due to these
> false positives.
I'll run a more thorough analysis tomorrow.
> That would be awesome.
>
> I think we discussed similar ideas here:
> http://code.google.com/p/gross/issues/detail?id=42
Yup, that's just the same block_threshold I'm talking about.
> Don't forget to allow for a weight to be assigned to sophos blocker
> matches.
I'll get back to this tomorrow.
--
Eino Tuominen
More information about the Gross
mailing list