[sanesecurity] Re: ham testing

• From: Tom Shaw <tshaw@xxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Tue, 14 Jul 2009 11:03:11 -0400

Steve and Bill,

Personally I think "ham" testing will not add as much "safety" as being asserted.

1st your ham and my ham are vastly different as are others on the list. Further, ham for Europe is different than ham for an Asian than ham for a South America user, etc.

OK, ham testing theoretically could have detected "acebook.com" but I have friends and clients who do not have facebook.com in their ham because they wash their ham every 14 days and so would have never detected the problem prior to a facebook message appearing. FUrther, I expect that the next FP to happen will not be in whatever "ham" set you are testing against which might make ham testing intrinsically problematic.

IMHO you are better off checking for small sigs (which would have detected the "com" problem) and washing against large whitelists (which we do already do).

I can provide you and Bill my script to check signatures against URIbl whitelists as well as bondedsender and many others and cache results if you want. It currently is in PHP but could easily be used as is or recoded.

These queryable DB's are much more comprehensive than someone's (or a group of someones') ham. Further, the shear effort to maintain a comprehensive, world aware ham database seems like a tall order.

I would suggest trying filtering on small sigs and checking these world aware whitelists as a first start before taking on the task of ham maintenance. Our experience in adding these checks to the winnow dynamic process makes a big difference.

If after that more checking seems to be in order, someone can start to build a comprehensive ham DB.

I would also like to query how many folks are using these dynamic sigs without scoring. The reason I ask is it has been reiterated over and over again to use them as part of scoring. We score and did not experience rejections of com nor acebook.com. Maybe the solution is to ask for scoring or have users reconsider there scores - after all this is what you have to do in any scoring based system.

Tom

• Follow-Ups:
  • [sanesecurity] Re: ham testing
    • From: Henrik Krohns
  • [sanesecurity] Re: ham testing
    • From: Michael Orlitzky
  • [sanesecurity] Re: ham testing
    • From: Bill Landry

• References:
  • [sanesecurity] ham testing
    • From: Steve Basford

Other related posts:

• » [sanesecurity] ham testing- Steve Basford
• » [sanesecurity] Re: ham testing - Tom Shaw
• » [sanesecurity] Re: ham testing- Henrik Krohns
• » [sanesecurity] Re: ham testing- Michael Orlitzky
• » [sanesecurity] Re: ham testing- Bill Landry
• » [sanesecurity] Re: ham testing- Tom Shaw
• » [sanesecurity] Re: ham testing- Henrik Krohns

1. Home
2. sanesecurity
3. Archive
4. 07-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---