Sorting the Spam from the Ham

MrClever writes "The Sydney Morning Herald (Aust) is running an article about the merits of Bayesian filtering and a good plain-english description of how it works. Might be handy if you need to explain it to non-technophiles. The main thing that may be useful is a Bayesian spam filter written to drop straight into Outlook 2k/XP available here and written in Python by Mark Hammond." Math buffs might enjoy reading these pages or browsing this writeup and its many links.

But without spam...

[pnix]

But without spam, I wouldn't get any email!

Re:But without spam...

[IthnkImParanoid]

You're getting modding as funny, but I just figured out exactly how true this is. My main email account is used primarily for work, so it was very easy to set up white lists for 30 or so email addresses with a few family and friends thrown in, and route to a special folder. I still check the default folder, of course, but I turned off notification for everything except the white folder.

I went from checking my email every 5-10 minutes to a handful of times a day.

Finally....

[JohnnySkidmarks]

I get to do something to stop my boss from enlarging his penis anymore... It's really starting to hurt.

Why not here?

What happens if Slashdot runs a Bayesian filter which runs a day after the stories are posted and programs itself with all the -1 comments as "Spam" and all the +5 comments as "Ham". Then let the Bayesian filter adjust all incoming messages by up to 2 points.

I bet it'd work - and imagine if we did it to stories too! Maybe it'd reject all Taco's dupe submissions.

Re:Why not here?

[bmongar]

Very interesting but I think it wouldn't work well, since most of the trolls and flamethrowers are talking about the same topics the same words will show up in both ham and spam posts. But if someone could come up with a word pattern algorithm that could differentiate that would rock.

Re:Why not here?

[kels]

I bet it'd work - and imagine if we did it to stories too! Maybe it'd reject all Taco's dupe submissions.

Umm, a naive Bayesian filter would score duplicate posts highly, because after all they contain all the same words that were good last time.

Re:Why not here?

[Zork+the+Almighty]

I can't understand why none of my emails ever get through. Let me start by first introducing myself, I am Dr. Zork the Almighty, a manager at the SOCIETE GENERALE BANK NIG. LTD. Lagos. I have come across your name in a private search for a reliable and reputable person to handle a very confidential transaction. I am looking for a foriegn partner to assist in a transaction involving FIVE BILLION US$ currently in an escrow account.

What I want

[Nate+Fox]

is a scalable popfile for larger organizations. If I could get popfile (with its super-easy-to-train/use-web-interface) that would run on my linux server, scan my IMAP mail server (well, incoming mail would actually work fine, too. I've heard they have a smtp plugin for it in cvs), and then have a popfile config page for each person, or mayby tie it into the imap/smtp server's login. THAT would rock. I've heard spamasassin does Bayesian, but I couldnt see how it was trainable (and I dont want other people on my server to read each others mail, obviously).

Re:What I want

[Telastyn]

What I want is physical pain upon the sender whenever spam is sent. *THAT* would be much better I think :]

Hell, even a fee or mental anguish would suffice...

Re:What I want

[franimal]

Personally, I really like Spambayes and Procmail for use with my IMAP server. It's easy to setup for each user and they can train their own SPAM database. You can even run the training script as a cron job and the users only need to shuffle unknowns to the spam folder. Works well, because users never even have to see the spam, if they don't want to.

Re:What I want

[leshert]

Spamassassin learns in two ways:
1. Manual training: there is a tool called 'sa-learn'. You can pipe a message to it, or point it to a mailbox, and specify whether the mail is spam or ham.
2. Automatic training: if the score of the mail is significantly low (definitely spam) or significantly high (definitely ham), it will automatically train on the message. This may seem useless, but it's useful in that SA will then start to figure out patterns in spam or ham that don't trigger its rules.

I read mail with Mutt, and I've remapped the 'd'elete key to instead throw the message into a 'ham' mbox, and added a 'S'pam mapping to throw the message into a 'spam' mbox. Then I added a nightly cron job to run sa-learn over the two mboxes and truncate them. This has worked very, very well for me... In I haven't had a single false positive since Bayes kicked in about two months ago, and I got my first false negative in about two weeks today. I typically trap 10-15 spams a day.

One thing to notice: even if you enable it, Bayesian filtering won't kick in until you've recognized at least 200 spam and 200 ham messages. Took me a long time to figure that out (I had plenty of spam, but I wasn't training it on ham at all, which is why I started remapping the mutt commands).

As far as installing it on a server, your users don't have to be able to read each others' mail. I have it installed so that my wife and I each have our own bayes dbs, so neither of us has to read each others' mail. Plus, different users will regard different mail as spam: anything about the Pittsburgh Steelers going to my mailbox is probably spam, but not hers; similarly, anything regarding Linux going to her mailbox is probably spam, but not mine.

Re:What I want

[JohnGrahamCumming]

I agree with you and we are planning to get to that ASAP. There's some underlying work we need to do on performance first (that's planned for v0.20.0) and then we'll have the foundation for multiusers, pretty much as you describe. If anyone out there wants to write an IMAP module (subclass of Proxy::Proxy) then I'd be very happy to accept it. John.

Re:What I want

[slagdogg]

I read mail with Mutt, and I've remapped the 'd'elete key to instead throw the message into a 'ham' mbox, and added a 'S'pam mapping to throw the message into a 'spam' mbox.

Would you mind sharing your .muttrc for this?

Re:What I want

[leshert]

Not at all. The macros are short and sweet:


macro index d ~/Mail/bham^my
macro pager d ~/Mail/bham^my
macro index S ~/Mail/bspam^my
macro pager S ~/Mail/bspam^my


Then the relevant sections of my crontab look like this:


0 2 * * * /usr/bin/sa-learn --spam --mbox /home/tim/Mail/bspam
15 2 * * * /usr/bin/sa-learn --ham --mbox /home/tim/Mail/bham


In another post (as well as on several sites on the web), it's recommended to bind a key to pipe the message directly to sa-learn. I read my mail on the server, which is an embarrassingly old machine, and sa-learn takes on the order of 30 seconds per email--not fun when you're just doing 'that last check of email before heading home'. Copying the mail to a file is just about instantaneous, and the sa-learn can do its dirty work while I'm sleepting (or watching The Office, as the case may be).

Re:What I want

[thogard]

Some of them are dealing with the pain. A guy I meet recently paid about AU$5000 to a spam house to send his ad out to a million people in an opt-in mail list. His web server got 40 hits that day compared to the daily averge of 13 and none of them bought his book. He was taught a $5000 lesson that spaming doesn't work. What was interesting is that the "demo run" got more hits on his web site than the real run.

How to filter bloodninja?

[Talisman]

And if you could, would you really want to?

bloodninja: Baby, I been havin a tough night so treat me nice aight?
BritneySpears14: Aight.
bloodninja: Slip out of those pants baby, yeah.
BritneySpears14: I slip out of my pants, just for you, bloodninja.
bloodninja: Oh yeah, aight. Aight, I put on my robe and wizard hat.
BritneySpears14: Oh, I like to play dress up.
bloodninja: Me too baby.
BritneySpears14: I kiss you softly on your chest.
bloodninja: I cast Lvl 3 Eroticism. You turn into a real beautiful woman.
BritneySpears14: Hey...
bloodninja: I meditate to regain my mana, before casting Lvl 8 Penis of the Infinite.
BritneySpears14: Funny I still don't see it.
bloodninja: I spend my mana reserves to cast Mighty of the Beyondness.
BritneySpears14: You are the worst cyber partner ever. This is ridiculous.
bloodninja: Don't shit with me biznitch, I'm the mightiest sorcerer of the lands.
bloodninja: I steal yo soul and cast Lightning Lvl 1, 000, 000 Your body explodes into a fine bloody mist, because you are only a Lvl 2 Druid.
BritneySpears14: Don't ever message me again you piece.
bloodninja: Robots are trying to drill my brain but my lightning shield inflicts DOA attack, leaving the robots as flaming piles of metal.
bloodninja: King Arthur congratulates me for destroying Dr. Robotnik's evil army of Robot Socialist Republics. The cold war ends. Reagan steals my accomplishments and makes like it was cause of him.
bloodninja: You still there baby? I think it's getting hard now.
bloodninja: Baby?

--

bloodninja: Ok baby, we got to hurry, I don't know how long I can keep it ready for you.
j_gurli3: thats ok. ok i'm a japanese schoolgirl, what r u.
bloodninja: A Rhinocerus. Well, hung like one, thats for sure.
j_gurli3: haha, ok lets go.
j_gurli3: i put my hand through ur hair, and kiss u on the neck.
bloodninja: I stomp the ground, and snort, to alert you that you are in my breeding territory.
j_gurli3: haha, ok, u know that turns me on.
j_gurli3: i start unbuttoning ur shirt.
bloodninja: Rhinoceruses don't wear shirts.
j_gurli3: No, ur not really a Rhinocerus silly, it's just part of the game.
bloodninja: Rhinoceruses don't play games. They fucking charge your ass.
j_gurli3: stop, cmon be serious.
bloodninja: It doesn't get any more serious than a Rhinocerus about to charge your ass.
bloodninja: I stomp my feet, the dust stirs around my tough skinned feet.
j_gurli3: thats it.
bloodninja: Nostrils flaring, I lower my head. My horn, like some phallic symbol of my potent virility, is the last thing you see as skulls collide and mine remains the victor. You are now a bloody red ragdoll suspended in the air on my mighty horn.
bloodninja: Fuck am I hard now.

--

BritneySpears14: Ok, are you ready?
eminemBNJA: Aight, yeah I'm ready.
BritneySpears14: I like your music Em... Tee hee.
eminemBNJA: huh huh, yeah, I make it for the ladies.
BritneySpears14: Mmm, we like it a lot. Let me show you.
BritneySpears14: I take off your pants, slowly, and massage your muscular physique.
eminemBNJA: Oh I like that Baby. I put on my robe and wizard hat.
BritneySpears14: What the fuck, I told you not to message me again.
eminemBNJA:
BritneySpears14: I swear if you do it one more time I'm gonna report your ISP and say you were sending me kiddie porn you fuck up.
eminemBNJA: Oh
eminemBNJA: damn I gotta write down your names or something

This is bad news!!!

[aborchers]

The main thing that may be useful is a Bayesian spam filter written to drop straight into Outlook 2k/XP

I've now lost one of my primary arguments for switching my colleagues to Mozilla!

Re:This is bad news!!!

[joeflies]

From what I understand, beta testers tell me the next revision of the Outlook client contains a spam filtering function that works pretty well too. I do like the Mozilla 1.4 junk mail features though - works about as good as I could have hoped.

Re:This is bad news!!!

[aborchers]

Er, wouldn't that first involve switching them to Linux? Come on, man, I have to take baby steps with people who need convincing to leave Outlook! :-)

Re:This is bad news!!!

[Mikey-San]

I know your post was meant to be funny, but it brings up a point:

So what? If more computer products benefit, don't we all? Anything that makes Outlook better is good in my book. Perhaps this will eliminate some virus-and-worm-carrying spam--and that's good for /all/ of us on teh intarweb. ;-)

Re:This is bad news!!!

[aborchers]

First, I'd refer you to my /. Moderation Aphorism #1. Second, I'll give a serious answer to your serious observation:

I use MS Office under Crossover Office because it gives me the features I want (admittedly, one of them is the ability to share identically functional documents with Windows users) so I definitely agree with your perspective. In the case of Mozilla, there has been a great ruckus around here about spam, and I kept telling people it didn't affect me because I used Mozilla w/ Bayesian filters. Additionally, Outlook's rotten record for relaying mail worms has been a problem to me as a sys admin. Independent of the calendar/groupware features, in my immediate area, most people use Outlook as a mail client out of inertia because it came with Office and refuse to switch because of fear of the unknown rather than out of a choice based on features.

Re:This is bad news!!!

[H310iSe]

I use outlook because my clients use outlook (though mostly I just use the awsome web interface that fastmail.fm provides). My clients use outlook because it has great, integrated calendaring and it syncs with their various PDAs. Such is life.

I recently reviewed 7 client-side spam filters and ended up picking Spambully. It's not free and it's not perfect but for our environment (Win/outlook 2k2 w/ a weird mirapoint IMAP server and multiple PCs per user (so email needs to stay on the server)) it was the best. Very tight outlook integration (i'm a little worried about instabilities but so far it's smooth) and baysian.

But it's really just the best of a bad lot. It's great to see someone working on an open source filter that might work w/ IMAP - we can't have enough of these since right now, well, we have almost none.

SpamAssassin works for me (even on Exchange)

[AssFace]

My own personal account is on a shared server at pair.com, and I run SpamAssassin (the perl script, can't put the spamc/d on there since I'm not root).
I have written on here before how I have saved myself a lot of hassle over the last few months by installing SA. I now stop 100+ messages a day (usually more like 140 now).
My stats tell me that since Feb, I've stopped over 15K Spam messages. Hot damn.

Where I currently work now we have Exchange and I wanted SpamAssassin on there, but we weren't getting the money approved to put it on.
So I hacked in SpamAssassin via an Exchange 2000/2003 EventSink.
If you want the code for it, feel free to grab it from http://www.cardboardutopia.com/ExchangeSpamFilter. zip

But do note that if you have many users on your machine, you aren't going to want to use this - an EventSink on Exchange runs in serial, so SpamAssassain's Perl script (the spamc/d doesn't work under Win32) will get executed on every incoming mail, and it will have to wait until it is done before it gets the next one.

We process about 2000-5000 incoming messages a day and it does okay, but we have a very light load.

Re:SpamAssassin works for me (even on Exchange)

[IthnkImParanoid]

SpamAssassin is nice, but it's nowhere near the 99% elimination claim in the article (an vaporous claim in the article? The hell you say!)

SpamAssassin, set at 5 (after I got a false positive at 4) stops about 75-80% of spam, but with some more rules from me (how did SpamAssassin let 'huge c-cks' get through?!) stop closer to 90%.

The only solution I've tried that worked well has been white lists, but that only works so well because I don't make a lot of new friends :)

Re:SpamAssassin works for me (even on Exchange)

[AssFace]

The company that I am at now is a financial services one - dealing largely with hedge funds.

The term "asset" shows up in 90% of our mail - it is amusing how many issues the companies in our sector have with poorly written filters that think "asset" is a bad word.

I suggested that we start referring to the same concept as "fuckerbabies" but it hasn't caught on yet.

Re:SpamAssassin works for me (even on Exchange)

[mpieters]

We ran SpamAssassin on Python.org and Zope.org for a considerable lenght of time. We had, however, many false-positives to deal with (we manually checked everythiong that scored everything between 5 and 10 points on the SpamAssassin scale). Usually, we had to review between 10 and 15 messages a day like this.

We recently switched to SpamBayes, and our false-positive rate so far is 6 out of 2200+ spams (almost 12 days of traffic, with certain foreign charactersets, malformed email headers and blacklisted email bounced and not included in this number), mostly because we are still in training mode.

On top of that, because SpamBayes is written in Python, we can integrate it directly into Exim with Greg Ward's elspy, whereas we had to run SpamAssassin in a separate process, which occasionally bombed out. Way much faster this way!

Way more hot damn!

Re:SpamAssassin works for me (even on Exchange)

[vanyel]

I run a small ISP with spamassassin installed, and I had to increase the default quota when I upgraded to the version with Bayesian filtering and its multi-megabyte databases per user. Combined with spamd bugs forcing me to switch back to running spamassassin individually and the fact that spamd still doesn't serialize processing, so the system still gets hammered by a flood of spam, I'm looking forward to greylisting to help take the load off spamassassin.

Spambayes

[Chromodromic]

I use Spambayes with Outlook 2000, and it takes a little tweaking, but it works as advertised. Ahhh, the magic of mathematics. Just now, brought up Outlook, checked my mail and three little messages offering a free Sony headset, 70% off cell accessories, and a chance to take an IQ test just got tossed into my spam folder. Thanks anyway, but I think that means I just passed my IQ test.

Every so often I go in and take out some old, old spam, just to make sure my current preferences are being represented and that's all the maintenance that's required.

This is, however, the second time I've trained the filter. The first time, it incorrectly identified my FreeBSD status mails as spam, and from then on was throwing those into the Spam folder. My own fault, though, since I hadn't included any of these messages in my representative ham.

If you run Outlook, download this filter and use it. You'll be doing yourself, and a world that doesn't need fat-injected, herbally enhanced penises, a favor.

Re:Spambayes

[AssFace]

I have seen all of the local client software and I personally have never bothered with it.

I always felt that the whole point of spam being annoying was that it wasted bandwidth. It gets sent to my server, and then I have to download it all from my server, and then it gets sorted away from my eyes in my client.

It is fairly trivial if you get enough regular mail for it to matter, and you are on a fast connection.

But I can't tell you how annoying it is to be on a slow dial-up connection and download 50 messages and then see that they all got filtered into the spam folder and that there were no "real" messages.
While there is a nice feeling of seeing them all get caught, it is annoying to have to wait for a download (and pay for it) and then get no return on the investment.

That is why I always try to have the spam blocking on the server side. Although I now spend most of my time using ssh into my server and that way it isn't downloading all of the mail until I want to see something.

Perhaps if I combine the fact that I have SA on the server, and then if I also had a client side option, I would get everything properly blocked that way (the only reason stuff gets through my server setup right now is if the server is under a high load, then my SA script will time out and the mail gets through).

An interesting way to deal with spam.

[Meat+Blaster]

I've tried a number of different ways to filter spam, from whitelisting to Bayesian filtering, and Bayesian seems to offer a good balance between not eating too much of the ham while letting the spam through. Not too shabby, especially given that it comes with Mozilla now, and I think it's an excellent way of allowing clients to determine what they want to see without infringing free speech.

I don't know if I'd want it in Python, though... it does seem to be a good deal slower already than other spam filtering methods without putting it in a scripting language. Getting it in Outlook can only be good for the net (can Bayesian be applied to things like spam from Internet virii as well?)

Re:An interesting way to deal with spam.

[kefoo]

can Bayesian be applied to things like spam from Internet virii as well?

What if the the filtering programs had a feature that would allow somebody to send out the "signature" of an email virus that the filter could use to block the virus before it had ever actually seen one, by adding its characteristics to the list of things that weigh heavily toward spam so it would be filtered out before ever reaching Exchange/Outlook.

Written by more than hammond

[adamhupp]

The Outlook plugin may have been written by Mark Hammond but spambayes is very much a group effort. The project can be found at spambayes.sf.net.

I've been using spambayes for months now and it really is quite amazing. Now, when I get the occasionaly spam in my mailbox it's actually interesting because I want to figure out why it made it in. The number of false positives is almost nil, and the ones that do get hit are spammy looking autogenerated reciepts from purchases I've made. It's made reading email a much more enjoyable activity.

-Adam

Re:Written by more than hammond

[Wakko+Warner]

The number of false positives is almost nil, and the ones that do get hit are spammy looking autogenerated reciepts from purchases I've made.

This is quite possibly the only complaint I have about spambayes, too, and it's not even that big a deal to me. After about a month of collecting spam in its own folder (named SHIT, oddly enough), it had learned enough that I was able to dial down my SpamAssassin settings (I use an old version of SA still, too, without the bayesian stuff built in -- too lazy to switch; spambayes works well enough that it's not worth it.) I check my incoming spam folder once or twice a week now, as opposed to once or twice a day when I only ran SpamAssassin at a relatively forgiving (4.5-5.5) setting.

There are a few thousand spams in SB's crap folder now; it's gotten so good that I can't really remember the last time I've had something miscategorized as spam, and of the 50-60 spams I get per day, usually only one or two make it through to my inbox, if that. Half of the time, I don't get any at all.

If you didn't have a reason for installing a Python interpreter before, now you do.

- A.P.

Better Bayesian Filtering

The first discovery I'd like to present here is an algorithm for lazy evaluation of research papers. Just write whatever you want and don't cite any previous work, and indignant readers will send you references to all the papers you should have cited. I discovered this algorithm after ``A Plan for Spam'' [1] was on Slashdot.

Spam filtering is a subset of text classification, which is a well established field, but the first papers about Bayesian spam filtering per se seem to have been two given at the same conference in 1998, one by Pantel and Lin [2], and another by a group from Microsoft Research [3].

When I heard about this work I was a bit surprised. If people had been onto Bayesian filtering four years ago, why wasn't everyone using it? When I read the papers I found out why. Pantel and Lin's filter was the more effective of the two, but it only caught 92% of spam, with 1.16% false positives.

When I tried writing a Bayesian spam filter, it caught 99.5% of spam with less than .03% false positives [4]. It's always alarming when two people trying the same experiment get widely divergent results. It's especially alarming here because those two sets of numbers might yield opposite conclusions. Different users have different requirements, but I think for many people a filtering rate of 92% with 1.16% false positives means that filtering is not an acceptable solution, whereas 99.5% with less than .03% false positives means that it is.

So why did we get such different numbers? I haven't tried to reproduce Pantel and Lin's results, but from reading the paper I see five things that probably account for the difference.

One is simply that they trained their filter on very little data: 160 spam and 466 nonspam mails. Filter performance should still be climbing with data sets that small. So their numbers may not even be an accurate measure of the performance of their algorithm, let alone of Bayesian spam filtering in general.

But I think the most important difference is probably that they ignored message headers. To anyone who has worked on spam filters, this will seem a perverse decision. And yet in the very first filters I tried writing, I ignored the headers too. Why? Because I wanted to keep the problem neat. I didn't know much about mail headers then, and they seemed to me full of random stuff. There is a lesson here for filter writers: don't ignore data. You'd think this lesson would be too obvious to mention, but I've had to learn it several times.

Third, Pantel and Lin stemmed the tokens, meaning they reduced e.g. both ``mailing'' and ``mailed'' to the root ``mail''. They may have felt they were forced to do this by the small size of their corpus, but if so this is a kind of premature optimization.

Fourth, they calculated probabilities differently. They used all the tokens, whereas I only use the 15 most significant. If you use all the tokens you'll tend to miss longer spams, the type where someone tells you their life story up to the point where they got rich from some multilevel marketing scheme. And such an algorithm would be easy for spammers to spoof: just add a big chunk of random text to counterbalance the spam terms.

Finally, they didn't bias against false positives. I think any spam filtering algorithm ought to have a convenient knob you can twist to decrease the false positive rate at the expense of the filtering rate. I do this by counting the occurrences of tokens in the nonspam corpus double.

I don't think it's a good idea to treat spam filtering as a straight text classification problem. You can use text classification techniques, but solutions can and should reflect the fact that the text is email, and spam in particular. Email is not just text; it has structure. Spam filtering is not just classification, because false positives are so much worse than false negatives that you should treat them as a different kind of error. And the source of error is not just random variation, but a live hum

Re:Better Bayesian Filtering

[GoatEnigma]

Email is not just text; it has structure.

You've obviously never received email from an AOL user!

News for Pervs, Stuff that Matters.

[notque]

Would you use the phone if you had to listen to a 10-second brothel advertisement every time you made a call?

Yes.

Definately Yes.

Is that a feature I can have added?

Re:News for Pervs, Stuff that Matters.

shouldn't that be:

News for Pervs, Stuff that Splatters.

??

Eudora users...

[Control-Z]

Eudora 6.0 beta has spam filtering which seems to be Bayesian. It's a little slower to learn than PopFile, but it's pretty good so far, and of course integrated with the Eudora UI.

http://eudora.com/betas

Spam filtering altogether

[ToadMan8]

I sat on the E-Mail policy team (a branch of the Strategic Planning team) for Miami University (Oxford, OH, not Florida) this last year (as a technical advisor, student and support desk employee. We looked at all sorts of spam solutions, as the president decided this should be a main focus (apparently the Viagra adds hit a bit too close to home for comfort ;)).

The problem in the educational market, though, is that, not being a business that can make rules and force people to live by them, educational establishments have annoyed customers (students and faculty) sometimes if any spam is blocked. (research, etc) False positives absolutely can't be tolerated. So a ranked system (spam assasian) that suggests the possibility of spam is not on the best but the only solution we have avalible. Mail will be ranked and users can make rules that trash everything but a guarenteed perfect mail, if they so desired. Or they can leave them all alone. So intelligent filtering is a necessity, not just a bennefit.

On another page, I had an odd place during this discussion of the team. I do not receive spam. (Please, don't start now). My MUOhio.edu address simply doesn't get a single piece of spam e-mail. I have had the account for two years. I have over 3000 messages in various folders. And none are spam at all. I just haven't signed up for anything with it. I put the e-mail addy on webpages too (that I author) and haven't gotten a single thing. But oh my the trash "spam" account gets 60 a day. On AOL. That blocks 80% of incoming mail. Ironically, they had MUOhio.edu blocked weeks back.

Re:Spam filtering altogether

[greed]

I don't know spambayes, but bogofilter most definately can operating in a "ranking" mode:

• X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.12.2
• X-Bogosity: Unsure, tests=bogofilter, spamicity=0.499150, version=0.12.2
• X-Bogosity: Yes, tests=bogofilter, spamicity=0.969917, version=0.12.2

Then you can header-match in your MUA all you want--or not. (I run it all through procmail, but that's because I want all the filtering done before it hits my IMAP server.)

Mozilla Mail

[respite]

In case anyone hasn't tried it yet, the Bayesian filters in the mail client of the Mozilla suite are really impressive. They have worked close to flawless for myself.

Re:Mozilla Mail

[drinkypoo]

They work pretty well for me, but nowhere near flawless. Some days I get 25 messages that go into the spam folder and only 3 in my inbox, some days I get about 10 in the spam folder and 5 in the inbox... It's a lot better than nothing. The real reason I run Mozilla for mail is the HTML rendering, which is better than any other mail client I'm aware of; The secondary reason is the bayesian filtering, and the tertiary is Enigmail, though no one I know bothers to use encryption anyway.

Fight Spam with SpamProbe

[steveha]

I wrote an article on how to set up SpamProbe on a server, and make it easy to train. You could also use Bogofilter or any other trainable spam filter, set up the same way.

I get at least 100 spam messages a day now, and I only see about a half-dozen or so. SpamProbe deals with the rest, and I don't have any problems with false positives. (SpamAssassin thinks that ads for LinuxWorld Expo are spam, but as I have it trained, SpamProbe doesn't.)

steveha

Popfile

[isn't+my+name]

I use PopFile. What I like about it is that it easily lets me use multiple personalities in Eudora, Outlook or any other mail client. Nice web based interface and a very active development community.

You can run it locally on Windows or Linux. But, you can also set it up on a server and then use it to filter e-mail from multiple client machines. That's what I like about it. I have a home machine in my basement office but also upstairs in the TV room. Unlike plug-ins that only work locally, I can have my reclassification decisions apply to multiple client machines.

Right now, they do not have multiple user capabilities so that my wife and I can both use the same instance and not have our classifications interfere with each other. However, you can set up multiple instances bound to different ports. The developers list multi-user capability as a priority.

Worth checking out along with the other choices.

So-so article

[scottme]

For an article in an "IT tech" section of a paper, this is really very weak.

It really doesn't do much more than precis Paul Graham's arguments, then ends in a blatant plug for just one Outlook addon.

I suppose if there are still people in the column's audience who haven't heard this all before, and it gets the message out that spam can be effectively filtered, it's a minor goodness.

Remote Images in spam...

[dioxn]

I've noticed that the spam that has been getting through my Mozilla filter are the ones with innocuous sounding subjects and an embedded image.
Could this be the future of spam?
Does anyone know if any spam filters pick up on this patern or lack of pattern (after all there are no words in the body usually.)

Re:Remote Images in spam...

[cybermint]

Bayesian is more or less word based, so graphical only messages fly right by my Mozilla mail filters. I believe it does the check after the html has rendered. If they ran the filter before the html was rendered, they might have slighty better results. Eventually all spammers will learn the undetectable patterns that only a handfull seem to know now, and it will once again render mail filters useless. I hate HTML e-mail.

Re:Remote Images in spam...

[zerocool^]

Does anyone know if any spam filters pick up on this patern or lack of pattern (after all there are no words in the body usually.)

Um, only read emails in plain text? Use mh.
inc; scan; show last
By the way, those images are baaaad. Usually they're something like img src="blahblah.jpg?userid=32898392" and then, when you open it, there's a log of the image with the userid 32898392 being fetched. Therefore, they know that your email address is valid. So, it's a good idea to filter out images anyway.

But, come on. Email is a medium for transmitting text. It's not supposed to have flowery backgrounds, blinking text, and embedded images. Mabey i'm a purist? But, it's another thing that use to be beautifully simple that the explosion of advertising on the internet has rendered unuseable.

Re:Remote Images in spam...

[rusty0101]

This is one of the reasons I have configured Evolution to not display remote images, unless I request them. The other is that pulling remote images has the functionality of verifying your e-mail address. (server operator generates a couple million unique random numbers, creates a table of associations between e-mail names and the random numbers, sends each e-mail address their random number as an img src=protocol://server/uniqRanomNunber/image.php, which does a lookup on the uniquRandomNunber, and confirms your e-mail address. Spamer sells list of confirmed e-mail addresses, and you get more spam.

Suggestion. If your e-mail client does not allow you to disable remote image retrieval, at the very least turn off preview panes. Bette is to find a client that does allow you to disable remote image retrieval.

-Rusty

Mozilla

[Little+Dave]

Having used the spam filtering built in to Mozilla for the last six months, I can testify to its effectiveness. In very little time at all, I'd trained it to send 95% of the filth to the spam directory and avoid doing the same for 95% of good mails. For me, not having to run a "middle man" piece of software was a real boon.

However, my life isn't totally spam free, as I find that I become neurotic about those 5% false positives that get unhelpfully moved to the spam directory, so still end up having to sift through the grot every once in a while. On the plus side, I now have a solution to my tiny cock problem, I've arranged cheaper home insurance and I have the email address of several horny co-eds who I'm assured are hungry for man juice.

Why stop at classifying spam? Why not all e-mail?

As I wrote only late last night, using Bayesian classification with only two categories (spam and "non-spam") is somewhat short-sighted, since if properly trained, a Bayes classifier can do a much better job than ordinary mail filtering (procmail, Mozilla or Mail.app filters, you name it).

In fact, if I had to bet on the next "killer apps", mail sorting and RSS filtering based on Bayesian classification would be right at the top of my list, based solely on the actual time-saving benefits for users. And I can't see any reason for Bayesian filtering not being included in Mozilla Mail and Apple's own (revamped) Mail.app.

I have to use Outlook at work, and after setting up Outclass (which requires POPfile) with several "buckets" to classify my corporate e-mail by project and field, I'm definetly not going back. Outlook, even with extensive use of Rules Wizard and categories, simply cannot cope with the diverse kinds of project-related e-mail I swap with colleagues, and Outclass is the only thing I could find that could deal with Exchange, PST folders and multiple Bayesian "buckets" categories.

Come on, do the right thing and tell Apple and The Mozilla Project that you want configurable Bayesian filtering on their mail clients.

I hate spam too, but...

[Daimaou]

I hate spam just as much as the next person, but I must admit, without it I wouldn't be the horse-sized love stud that I am. Thanks spam.

Dirty Spammer Tricks

[dprice]

I have been using the Mozilla junk mail filter for a couple of months now. One pop mail account is one that I started using in 1996. It is a spam magnet. In the time I have been using Mozilla, it has accumulated over 12,000 spam messages. That should be plenty of training for the Bayesian filter.

Mozilla's filter does a reasonably good job at catching spam, but I still get a handful of messages every day that slip through the filter. The ones that slip through seem to be messages that have intentionally munged the spammy words with spaces, numbers, and misspellings. The spammers know that people are filtering, and they are successfully getting through the filter with their dirty tricks. Another trick spammers use is to send a message with nothing but a graphic ad. The filter doesn't have enough words to judge the the spam, so the message slips through.

I also had some 'ham' messages get filtered, so I still have the annoyance of having to check the 'junk' folder periodically for wanted messages. The filtering makes life easier, but it is still not an ideal solution to the spam problem.

Re:Dirty Spammer Tricks

[letxa2000]

Trust me, a year or so from now, bayesian filtering will no longer be effective.

No, I don't think I'll trust you on that... :)

I have already seen the effectiveness of Popfile drop from 99% to 95% in the last 3 months.

That's very strange, but based on what you said below it seems that that's due to a limitation of Popfile as opposed to Bayesian itself. I've seen my Bayesian effectiveness INCREASE in the last 3 months.

Now spammers are including several paragraphs of unrelated (ie, un-spammy) text at the end of their message

There is a common misconception--both among spammers and anti-spammers--that doing the above will get your messages through. In some rare cases it might, but you have to remember that a good Bayesian filter is only going to pay attention to the most spammy and least spammy words. Just entering a useless, non-spammy paragraph is not enough. Unless that non-spammy paragraph happens to contain quite a few words that are downright NON-SPAM in my corpus all that verbage isn't going to do squat to lower the overall spam score of the message.

Basically, you need to know that my email typically talks about microcontrollers, I have a friend named Nathan, or my mom is named Angie. Just flooding me with words that don't appear in spam will do nothing unless you flood me with words that are extremely non-spammy in my particular corpus. And it's unlikely some random paragraph will manage to do that.

So now Popfile will have to have a MIME decoder?

You mean it doesn't now? This is what causes me to think that this is a limitation of Popfile more than a limitation of Bayesian and, perhaps, is why my Bayesian effectiveness is climbing and yours is falling.

And then they'll send their SPAM in GIFs.

At which point the fact that a message contains just an IMG is going to receive a high spam score. No-one says Bayesian can just score words. You can create a token that means "Message only contains an IMG" or something like that. Bayesian doesn't mean we're done developing--it just means that the logical work is done. Now all we need to do is keep our eyes out for new "characteristics" of spam that can be detected and considered to be a "token."

So then Popfile will have to use some kind of text-to-graphic weighting factor (note: no longer pure Bayesian/Naive filtering...)

Very doubtful for the reason mentioned above. You look at characteristics of the mail. And if you find that the message is basically just an IMG, that's a major strike against it. I severely doubt that you have to OCR the image unless your real email is also sent to you as images instead of text.

And then they'll start attaching a megabyte of unrelated text to the SPAM.

Again, just adding "innocent" text is not enough to get past Bayesian. You have to have the RIGHT innocent text, and that's different for each person. And, again, if they start adding megabytes of useless text you add a characteristic for "Text of message is over 100k". Suddenly Bayesian will realize that 99% of those messages are spam...

And note that the countermeasures will have increased the size of the average spam from 3-5K to a megabyte plus. Great for bandwidth.

I doubt that will be the case for the reasons mentioned above. Spammers are adding useless paragraphs now because they don't understand Bayesian.

Again, you just need to remember that 1) Bayesian isn't fooled just by adding paragraphs or megabytes of meaningless text. 2) Bayesian doesn't mean we never have to think about spam. It just means the hard work of deciding whether or not a message is spam is done. Now all we need to do is keep our eyes open for new "identifying characteristics" that often appear in spam. The rest falls into place automatically.

The spam I do see

[steveha]

I'm using SpamProbe, and it blocks almost all spam I get.

Much of the spam that gets past it is so minimalist it cannot be blocked by a Bayesian filter. I get messages like this:

Subject: a nice lady wants to talk to you

see the pictures

no more mail

It's like someone is trying to put so little in the message, that there is nothing to filter. If only they would use the stock "We are sending you this because you opted-in on it. Click on this link to remove your address." If they used that, I'll never see the message; SpamProbe will grab it. But how could I train SpamProbe to detect the minimalist ones, without blocking everything forever?

So far I don't get too many of the minimalist ones, and I just hit delete. If it becomes widespread, I'll have to start using Vipul's Razor or something.

The other kinds of spam that get past SpamProbe are the ones that have rampant misspellings. Since none of the words are in the database, they don't match as spam terms:

Subject: make moneey on EBAYxbbid

Want to make moneyzseqw? Click here...

I really think that I should write a filter that spell-checks an email, and rejects it if over 50% of the words with 5 or more letters are misspelled.

steveha

Battle of the network Bayesian allstars

[dubStylee]

Suppose

1. I have a friend who uses the same kinds of words as I do and who uses Outlook (ok, an aquaintance, because friends don't let friends ...)

2. An email virus attacks this person, snarfs up his Ham, runs a Bayesian filter on it and comes up with Spam specifically tailored for this person's aquaintances.

There's a science fiction book waiting to happen in here somewhere. If so, I own the SCOpyright on it.

What I don't like

[Boyceterous]

about this kind of filtering is that it has to download the email content - not always as good idea, especialy in a Windows environment. Besides, I can identify spam just by looking at message header information. Sender, recipient, and subject line are nearly always enough. Plus I don't need to waste time, bandwidth, or get subjected to offensive graphics, or risk 1-pixel confirmations or getting hacked by the latest security issue. My homespun message header analysis program drops nearly all spam, and results in few legit email rejections. I score the headers based on missing recipient, sender info, keywords in subject, string match in sender email or name, punctuation count in subject line, number of contiuous spaces in subject line, plus a few other things that seem to run common in the spam I get. I can also permit certain email addresses to pass no matter the score. It's not fancy, but it works, and I never have to waste time drawing the whole content down to my local machine. What I do may not work for everyone, but it seems that in most cases it should, unless you get a lot of email from unknown (non-spam) sources - not typical for the average email user.

Spam is a poor use.

[Lord+Bitman]

this is like inventing something as useful as the Knife, and using it only to attack salesmen. Why bother stopping with spam? Why not apply this filter to, say, absolutely everything? Since I just said "absolutely everything", I wont bother giving examples.
Training something to know how likely something is to be true, that sounds too useful to waste any time with on spam at all.

SpamBayes not Marc Hammond's work only

[mpieters]

SpamBayes was originally conceived by Tim Peters and co at Python Labs, who improved on the orginal algorithm considerably. From there on out, many people helped tune and perfect the implementation, making it the most effective Baysian-based spam filtering tool currently available (IMNSHO).

Mark Hammond then wrote the Outlook plugin, which, admittedly, is considerably more code than SpamBayes, but not SpamBayes itself.

For the complete background on why SpamBayes is so good at what it does, and it's history, see:

• SpamBayes Background

Marc's is not the only application frontend for SpamBayes, here is a list of others:

• SpamBayes Applications

No apologies for this my pedantry offered.

Re:This is totally useless.

[serbanp]

No it's not.

At work I have Outlook always running with the excellent bayesian FREE filter Spammunition www.upserve.com. I also do check the mailbox from home over a dial-up connection.

If I wouldn't use Spammunition, then I would spend a lot of time downloading spam messages; as it is right now, I get just the ham (several messages instead of many).

Serban

Soundex to work around intentional misspellings?

[GGardner]

For the spammers who are trying to use misspellings to get around filters, I wonder if soundex could fix that problem quickly. That is, instead of doing the Bayesian calculations on the raw tokens, calculate probabilities based on the soundex values of the the tokens. You might need to teach soundex that the number one sounds like I, and other leet-speek-like things, but this might solve the problem quickly and easily.

SpamNet

[SunPin]

I use spamnet by cloudmark. It catches everything. I can't remember the last time I had to click the "block" button. I'm very conscious of where my email ends up and I'm a hardcore advocate of email aliases. As a result, since September (last major crash), spamnet has blocked 4000 pieces while I've actively blocked only 11.

That's pretty f'n good in my book. So good, in fact, that I send all blocked messages to the "Delete" folder instead of the default "spam" folder and set outlook to permanently delete on close.

I have two concerns about this program:

--Money. They are now charging and pretty much deserve it from the average user.
--Reliability. This company could disappear tomorrow and sell off the server that has compiled spam data.

Since mathematics isn't going anywhere, I'm leaning towards switching to an open source Bayesian alternative but, as mentioned above, all my spam gets thrown out the door on contact.

What is the approximate training time of a Bayesian filter?

Great, but my problem is a bit more complicated ..

[slagdogg]

Bayes rocks, been using it with spamassassin and it kills 99% of my spam. The problem is when some asshole spammer uses my email address in the 'From' header of his spam ... then I get scores of 'user not found' or 'virus detected' emails from legitimate mail servers ... it's not spam, but it's just as annoying. How do you guys deal with this problem?

The math

[bpfinn]

I think Tom Mitchell did a good job in explaining the math in his book Machine Learning. It's a very pricy book, so maybe you can look for a used copy.

Outlook - turn off HTML mail

[siamSam]

Turn off html mail for Outlook and help keep them from validating your address through this method.

Place these two keys in .reg files of their own and be able to quickly switch between viewing html and plain text mail. taah dahhh!

[HKEY_CURRENT_USER\Software\Microsoft\Office\10. 0\ Outlook\Options\Mail]
"ReadAsPlain"=dword:0000000 1

OR to turn it back on and view those pretty pictures

[HKEY_CURRENT_USER\Software\Microsoft\Office\10. 0\ Outlook\Options\Mail]
"ReadAsPlain"=dword:0000000 0

Well... What would REALLY interest me is...

[crazyphilman]

A Bayesian filter that reads personal ads, compares them to ads posted by women who are KNOWN to have been "easy" (on a sliding scale, configurable, ranging from "mildly slutty" to "dangerously psychotic nymphomaniac"), and returns a list of likely phone numbers.

Hell, I'd pay MONEY for a piece of software THAT good (Hmm, clickety-click, select "nymphomanic", enter search site... Ah! This one has an oral fixation! Thank you, Mr. Bayes!).

Admit it, Slashdot. You love spam.

[jeduthun]

You guys are a bunch of hypocrites. You don't really want spam to stop. You love spam.

Every spam thread is the same: I use X, and it blocks 98% of my spam, with no false positives! I use Y, and it blocks 99.9% -- take that! Here, I use Z + Y with these custom Perl scripts I wrote that interface with procmail and stop 101% percent of spam! It doesn't matter, because I never get ANY spam! Spam is only because people buy things in spam! What morons! Bow before me, for I am 1337!

Spam gives you something to fight. Spam gives you an excuse to solve an interesting technical problem (i.e. separating spam from ham). Spam gives you a reason to boast. Spam gives you people to dislike.

Admit it.

You love spam.

I use Apam Assassin with Hotmil

[esanbock]

1. Use Debian
2. apt-get install spamassassin
3. apt-get install hotway
4. Add this to your /etc/inetd.conf: pop3 stream tcp nowait nobody /usr/sbin/tcpd /usr/bin/hotwayd
5. Switch to Kmail
6. Menu: Settings|Configure Filters
7. Add first filter.
a. Select Match Any of the following
b. Select size 250000
c. Filter action: PIPE THROUGH spamassassin
8. Add second filter
a. Select 'Match any of the following'
b. Type 'X-Spam-Flag' (no quotes)
c. Select equals. Type 'YES'
d. Filter action: Move to folder [your spam folder]
9. It's crucial thta the second filter happes after the first (use the arrows to the left).

There you have it - a spam-free Hotmail account. Not quite setup.exe, but this is Linux after all.

I must have done something wrong...

[chinton]

I tried a few months ago to write a Spam filter in Python, but no matter what I tried, this was the only output I could receive:

I DON'T LIKE SPAM! I DON'T LIKE SPAM! I DON'T LIKE SPAM!

Anyone know of a Lotus Notes filter?

[Moderation+abuser]

I've just been migrated to Notes from Outlook. Not a happy bunny till I discovered how powerful it is with stuff like agents.

The only thing I'm missing now is a spam classification tool like popfile for notes.

Not it's not...

[Goonie]

Client side filtering is not an ideal spam solution, but it's a good thing on both a micro and macro scale.

• For the 99% of people who don't respond to spam, it makes no difference to the spammer whether they filter it or delete it manually. At an individual level, it reduces the amount of spam I have to deal with to managable levels.
• For the 1% that *do* respond to spam, having a filter might reduce the amount of spam they respond to and thus reduces the financial rewards for spammers. Anything that reduces the financial rewards for spammers is going to help reduce the spam levels.
• If spammers are spending all their time and money figuring out how to beat filters, that's time and money that they're not using to send spam.

As for your indictment of spam filtering providers, could you please explain where the spamassassin devteam is making money?

My choices with regards to spam at the moment are simple. Use spamassassin or something like it, or wade through spam myself. I know which I'd prefer.