[Spambayes] spammers have found work around?

[Tim Peters]

[Mumm's]
> I've been using spambayes quite a while now with remarkably good
> results, almost 0 spam for many months.
> Recently, though, a few messages have been sneaking through in the 0%
> to 9% range.
> Do you think that spammers are reacting to spambays and other good
> intelligent filter spam blockers by crafting spam especially to get
> through.

Spammers have been working as hard as they can to evade filters of all
kinds for years, but I doubt anyone is targeting SB specifically. 
We're too small a target, and this kind of classifier is difficult to
sidestep reliably because it's so personalized.  Spam is a business,
and spammers get much higher return on investment by learning to fool
"one filter to rule them all" systems used by large organizations
(corporations, universities, ISPs).

Oversimplified, say you're a well-heeled spammer (as some are).  You
*buy* one of these systems, and then send spam to yourself until you
find a way to fool it.  To a first approximation, then, that spam has
a decent chance of fooling many installations of the same system.  You
send out millions of spam then as fast as you can, before the filter
vendor has a chance to change the system to plug the hole you found.

Now you can do the same thing with your own trained SpamBayes, but it
won't do you much good:  the training you do leaves you with a
different database than the training I do, and unless you spend real
money and effort to investigate me, you'll have no idea how to make
your spam look hammy to *my* classifier.  But if you could afford to
do intelligent targeted marketing, you'd get a higher return by moving
to a more traditional form of targeted advertising, trying to sell me
high-ticket legitimate items instead of assorted bottom-feeding scams.
 You'd be out of the spam business then.

That's why SB is hard to beat on a large scale.  It's not trying to
identify spam, it's trying to separate ham from spam according to an
individual's tastes.

> Anyone else noticing this change?

I notice that spam changes all the time.  For example, "Rolex" spam
has become very heavy over the past two weeks in my mix.  A few of
those were Unsure for me at first.  I trained on 2, and haven't seen
another one rate unsure since then.

BTW, I throw away my database a few times each year and start over
from scratch.  I know that this is fun, and slashes the database size.
 I suspect it helps recognition accuracy too, but don't know that for
a fact.  If you feel like you're in a rut, try it!  One common cause
for deteriorating accuracy is training a message into the wrong
category (ham as spam, or vice versa), and that's very hard to detect
after the fact.  As the months wear on, that's simply *going* to
happen sooner or later.  Starting over is often the easiest way to
recover from that.

> Will spambayes always be able to learn these new techniques?

Answering that requires perfect foreknowledge, so, yes, of course
<wink>.  We haven't made significant changes to the classifier or the
tokenizer in many months, but I haven't noticed any decrease in
effectiveness, despite that both the content and form of spam keeps
changing.

A good development is the increasing number of email clients that
refuse to download images in HTML email automatically.  I wish that
were universal.  So long as the spammer has to put stuff *in the msg*
itself that's visible to you, they have to make their sales pitch and
their URL visible to classifiers too, and then it can be analyzed. 
When all they give is a URL that automatically downloads a .gif or
.jpg containing an image of the sales message, that's very hard to
analyze.  But if email clients stop downloading that stuff, the
response rate on spam using that trick will fall to 0, and spammers
will stop doing that.  It's easy to forget that their goal isn't to
irritate you, it's to extract money from you.  To do that, they have
to make a visible sales pitch.