Mailing List Archive

RE: *****SPAM***** BigEvil False Positive
I just took it out. I don't like FPs at all. Despite playaudiomessage.com :)

Bigevil 2.12a posted.
thanks,
-Chris

> -----Original Message-----
> From: Jens Benecke [mailto:jens-sender-8130a1@spamfreemail.de]
> Sent: Tuesday, February 03, 2004 6:52 PM
> To: spamassassin-users@incubator.apache.org
> Subject: *****SPAM***** BigEvil False Positive
>
>
> Hi,
>
> I get this in a lot of mails:
>
> avast! Antivirus: Outbound message clean.<BR>
>
> Virus Database (VPS): 2/3/2004<BR>
>
> Tested on: 2/3/2004 12:39:59 PM<BR>
>
> avast! is copyright (c) 2000-2003 ALWIL Software.<BR>
>
> <a href="http://www.avast.com">http://www.avast.com</a><BR>
>
>
>
> which triggers
>
> 3.0 BigEvilList_30 URI: Generated BigEvilList_30
>
>
> (www.avast.com). avast.com seems to be a mail virus scanning software.
>
>
> --
> Jens Benecke
>
Re: *****SPAM***** BigEvil False Positive [ In reply to ]
On Wed, Feb 04, 2004 at 10:44:29AM -0500, Chris Santerre wrote:
> I just took it out. I don't like FPs at all. Despite playaudiomessage.com :)

Perhaps you could take out bitdefender.com from BigEvil_37? It got a
CERT message marked as spam here. Apparantly my original message about
it was eaten by sourceforge.

I think you probably get a lot of collateral damage with your
(com|net|biz) extentioning.

I'd almost rather see bigevil be distributed as a list of domains and
a script to generate the rules. Then we individual users could keep a
seperate local list for things like false positives that can be grep'd
out of the distributed list.

--
Scott Lambert KC5MLE Unix SysAdmin
lambert@lambertfam.org
RE: *****SPAM***** BigEvil False Positive [ In reply to ]
> -----Original Message-----
> From: Scott Lambert [mailto:lambert@lambertfam.org]
> Sent: Wednesday, February 04, 2004 11:00 AM
> To: spamassassin-users@incubator.apache.org
> Subject: Re: *****SPAM***** BigEvil False Positive
>
>
> On Wed, Feb 04, 2004 at 10:44:29AM -0500, Chris Santerre wrote:
> > I just took it out. I don't like FPs at all. Despite
> playaudiomessage.com :)
>
> Perhaps you could take out bitdefender.com from BigEvil_37? It got a
> CERT message marked as spam here. Apparantly my original
> message about
> it was eaten by sourceforge.
>
> I think you probably get a lot of collateral damage with your
> (com|net|biz) extentioning.
>
> I'd almost rather see bigevil be distributed as a list of domains and
> a script to generate the rules. Then we individual users could keep a
> seperate local list for things like false positives that can be grep'd
> out of the distributed list.
>

Yeah I never saw that email. Also there was some others involved in the last
BIG tweak. So I think some of these (?:com|net|biz) things are hitting me. I
didn't tweak them all myself. I check on all those so that doesn't happen.
Bear with me while I fix any of these. It's a long story :)

Lists, lists, lists. :) I can't tell you how many emails I get asking for
the list of domains and a script. Here is the deal folks, it will _CRUSH_
your server to generate off a list. This is hand edited to run faster. There
is no sexy script that will create the MAXIMUM sleak regex rule. There are
some nice ones, but they won't "see" what a human will in seconds.

That said:

Gary F. has posted a script to rip out all the domains into a list from
Bigevil. Feel free to use that to pull a list out of Bigevil. The
reg2rule.pl script is also floating around. Been posted many times and I
think it is on the wiki. Feel free to generate 2000+ seperate rules using
that. I just hope you don't get a lot of mail traffic on your servers ;)

Sorry, yes I'm cranky today. Lusers won't leave me alone, and I'm about to
use my wife's ibook as a frisbee!

--Chris (Damn ibook hard dive! Damn you!)
Re: *****SPAM***** BigEvil False Positive [ In reply to ]
On Wed, 4 Feb 2004 12:05:20 -0500 , Chris Santerre <csanterre@MerchantsOverseas.com> writes:

> Gary F. has posted a script to rip out all the domains into a list from
> Bigevil. Feel free to use that to pull a list out of Bigevil. The
> reg2rule.pl script is also floating around. Been posted many times and I
> think it is on the wiki. Feel free to generate 2000+ seperate rules using
> that. I just hope you don't get a lot of mail traffic on your servers ;)

And I have a program to regenerate new rules from a list of
domains. It is automated, and does an extremely good job.

http://www.cs.rice.edu/~scrosby/datamining/src/prefixStringFactor/

Scott