On Wed, 25 Feb 2004 23:53:58 -0500, Tim Peters <tim.one@comcast.net> wrote:

...

It doesn't appear that it would be all that difficult to implement a version of this for SpamBayes, so I thought I'd give it a go, unless someone here is going to tell me that it's not a good idea (or that they've already done it).

Go for it -- we certainly need a dozen new arbitrary parameters to fiddle with <wink>. I haven't found that "word salad" attacks have any luck against my personal classifier, so I'm not sure it *could* do me any good.

I have about 180:180 ham/spam trained in my classifier right now, and word salad type spams are pegged at almost 1 in all cases. I think the strategy of not training salad is what I've done, though not by explicit design. I can't see that a "dolby" (I presume that's what you meant?) would affect my results in the least. It's an interesting idea, though, and I can see how it might affect other applications of the technology, such as webpage bayesian filtering, where the amount of noise is likely to be much higher, and hapaxes would tend to drive things toward unsure much more strongly. It seems like an interesting experiment to perform... +1 from me for experimenting (it's your time after all... <wink>) What I've been thinking about lately is making a simple pop3 client (basically ripping the proxy-ness) out of the pop3proxy, to look at a pop3 account and perform any number of classifications on it. The problem I'm trying to solve is to find a way to respond to the myriad requests we get on spambayes list for answers to the same question. I could create classifiers to recognize characteristic questions (e.g. I upgraded outlook and now spambayes doesn't work) and send an automatic response that includes something like "outlook is stupid and disables some plugins during upgrade. reenable it (url here) and see if that helps. If not, then go to our problem reporting page (url here) and submit a problem report." In this problem space, the noise is likely to be much higher, and the dolby thing might improve the quality of the classifications. But at any rate, if I can do this, it might prove quite liberating, as it seems that most of the questions on the public list fall into a few well defined categories. -- Exprimez vous!; Exprésese; Esprimi te stesso; Express yourself! Tim Stone See my photography at www.fourstonesExpressions.com

[Kenny Pitt]

I've had very similar results. My suspicion is that if (and it's a big *if*) word salad is going to have any negative effect at all, it would be a possible long-term reduction in classifier accuracy. That's something that's going to be very difficult to test. I doubt that anyone who rebuilds their training database from scratch on a semi-regular basis will ever see any effect from it, though, unless the spammers do a much better job of selecting the words they use.

As another data point, my database has no problem identifying the salad messages as spam. Anecdotally, I *think* they don't score as high (no data whatsoever, just a vague impression), but that could easily be wrong. Spammers could do a better job of selecting salad words, perhaps, as most of them turn out to be hapaxes for my database. This is a tough nut for them to crack because everyone's hammy vocabulary is different. I think that will protect us in the end. However, if anyone could distill a subset of hammy words that were hammy to at least a large number of people, then we'd have some trouble. Doing that is not a small project and might not even be possible, but as their delivery rates decline, they may try it. As far as the "Dolby" approach goes (I think Dolby Labs would cringe at this, but Hormel got nabbed so why not Dolby?), it's interesting as a contrast to bigrams. With bigrams, we look for the "strongest" word pairs, considering different tilings of the word stream. It doesn't care about the individual strengths of adjacent words, except indirectly when deciding on the best tiling. The "Dolby" approach looks for word pairs that have the most opposite classifications and doesn't care about the strength of the word pair as a token. This puts a high value on word order, which is information not considered in bigrams. My intuition says it wouldn't help, but like they say, that and a nickel will get you on the subway (obviously a long time ago in a universe far, far away). -- Seth Goodman

[Tim]

Go for it -- we certainly need a dozen new arbitrary parameters to fiddle with <wink>. I haven't found that "word salad" attacks have any luck against my personal classifier, so I'm not sure it *could* do me any good.

Ditto for me. I think it has been mentioned that "word salad" attacks are only noticed when they do happen to have hammy words for a particular person, which makes the person believe they are 'effective', just because they never saw the 500 spams that also tried it. Assuming bayes would see the message as spammy without word salad (as Tim mentioned was normally the case), doesn't this mean that word salad can only help the message get scored in a non-spam category, even if only for a fraction of a percent of the training data out there? This means it is still a win for the spammer.

What's killing me now is virus bounces: since I decided to save and classify every email I get as "ham" or "spam", I've found that I just can't decide about lots of those, and call them ham one day but spam the next. As a result, new ones tend to score near 0.5. I used to leave them Unsure, and delete them unclassified. I was happier then.

Ahhh - but this is really what I had to reply to. This remains my email problem. Mine is probably a little bit worse, as anything@skippinet.com.au comes to me. Training on all of these seemed to actually hurt my false-positive rate - the words used in the various bounce messages are generally slightly hammy, meaning repeated training was necessary to 'bump up' the spam score of the common words, at the expense of others. At least that was my impression when looking at the clues. So unfortunately, my general solution now is a hacked up Python script that tries to detect these bounces, and nuke them. Unfortunately, it is fairly braindead, and is much more aggressive when the 'to' address is not my email address - something I expect you don't need to deal with. This was one reason I would love a generic 'mail filter' mechanism written in Python. If we tracked addresses and subject lines that the user sent, we could probably do a reasonable job of detecting a "good-bounce" from a "bad-bounce", but this is starting to get off-topic :) Mark [Just back from a refreshing 6 day tour 3000km up to Newcastle and back on the bike]