Meng Wong's Perspectives on Antispam

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

Phishing is easy to recognize

[4D6963]

Phishing is easy to recognize, well at least for us the leet slashdot geeks.

But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.

I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..

Bayes filters do not achieve `99.9%'

[gvc]

Here are the results of the latest TREC Spam Evaluation. No filter - not even CRM114 or DSPAM - comes close to 99.9% overall accuracy.

That said, filters can remove 98% of spam with about 0.1% false positives, which makes them pretty useful. Most, but not all, of those 1-in-1000 false positives are marginal anyway.

If you're interested in doing your own tests, there's a free toolkit and corpus with 92,000 messages.