[sanesecurity] Re: ham testing
- From: Henrik Krohns <hege@xxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Tue, 14 Jul 2009 19:28:55 +0300
On Tue, Jul 14, 2009 at 11:03:11AM -0400, Tom Shaw wrote:
> Steve and Bill,
>
> Personally I think "ham" testing will not add as much "safety" as being
> asserted.
>
> 1st your ham and my ham are vastly different as are others on the list.
> Further, ham for Europe is different than ham for an Asian than ham for a
> South America user, etc.
>
> OK, ham testing theoretically could have detected "acebook.com" but I
> have friends and clients who do not have facebook.com in their ham
> because they wash their ham every 14 days and so would have never
> detected the problem prior to a facebook message appearing. FUrther, I
> expect that the next FP to happen will not be in whatever "ham" set you
> are testing against which might make ham testing intrinsically
> problematic.
Sorry Tom. I do appreciate your good check methods, but you are now way off
on this. Just because your friends and clients might not have a decend ham
set doesn't mean that such check is pointless and shouldn't additionally be
used. For example many people dealing with SpamAssassin have wide corpuses.
It might not be feasible to do a comprehensive check with massive corpus
just before releasing, but I'm thinking people could offer to get the
signatures just as they are released, run checks and send reports back if
something fishy is found.
Lets take acebook.com.. I run it through 117216 recent hams (fuzzily
uniqued) and found 895 hits (took 5 minutes). It seriously suggests that the
signature should be reviewed. Want to know how many "com" hits there were?
78145.
Cheers,
Henrik
Other related posts:
