bgodette@idcomm.com wrote:
>> Actually, it didn't. The assertion is that if someone else hadn't seen
>> this exact message first, then SA wouldn't have caught it.

>
> No, the assertion is that if someone else hadn't seen prior abuse from
> the sending host first (not this exact message), then SA wouldn't have
> caught that particular message. That assertion happens to be true for
> the blacklists, and true for BAYES as well since it would have had to
> have seen headers (since the payload is vastly different) that look like
> this sending host in the recent past and been told that it was SPAM.


Your assertion about bayes is not well supported. It might have been
flagged by bayes for reasons that have _NOTHING_ to do with the received
headers.


>> The PBL (which isn't spamtrap fed, it's collected from ISP published
>> and/or contributed data) would have caught this based upon issues that
>> have nothing at all to do with this message, and most likely nothing at
>> all to do with this current round of spam. It would be based upon the
>> host provider's policy that this host shouldn't send email to the internet.

>
> Which means, some time, in the past, for whatever reasons that
> particular IP address did something against someone's policy to end up
> on that list. The important part being "in the past".


No, it means that the ISP, or possibly net block user, told Spamhaus
"it's an end user IP address, and not a mail server". There might be
_NO_ previous abuse from that IP address, and they'll still be listed.
The "policy" here is NOT the recipient's policy, the sendering network
owner's policy.


>> Similarly, the SPAMCOP listing is most likely not related to _this_
>> message. It is more likely an ongoing abuse issue, so the fact that the
>> host fed a spamtrap at spamcop at some point in the past does not mean
>> that they were "lucky to catch this message". The odds are that the
>> SPAMCOP listing has nothing to do with this message.

>
> Spamcop automatically delists IP addresses over time, to be relisted
> someone/something has to report new abuse. If you happen to receive the
> message before anyone has reported the new abuse, well it won't be listed.


It could have been recent abuse from an entirely different message
batch. In other words, maybe that IP sent a standard stock scam
yesterday, and today it sent the pdf spam ... and this person was the
first one to receive that pdf spam message. No previous recipient of
the same message. But they'll still be listed at spamcop.


>> I would make the same characterization of BAYES. You don't have to see
>> a specific message in the past in order for BAYES to catch it.
>> Therefore, you're not depending upon "luckily not being the first person
>> to see a given message".

>
> Explain how BAYES will have any matching tokens to work on if its from a
> fresh, never before seen by your system, zombie and there's no message
> body other than the attachment? All you have to work with is headers
> which you've never seen before and MIME boundaries which you've never
> seen before.


There are more headers than just the received headers. And, I honestly
don't know whether or not an attachment's raw data is analyzed by bayes
or not. My assumption is that it is.


>> Just resting upon BAYES, BOTNET, and PBL, you're not "lucky to have
>> caught the message because you're a late receiver". You've caught the
>> message due to a combination of policy, misuse, and historical
>> characteristics of spam in general being used to train your system.

>
> All of which needs prior examples/reporting of messages similar to the
> one you're trying to detect, that's what "historical characteristics of
> spam" means.


BOTNET does _NOT_ need prior reporting. And the prior reporting the PBL
require has nothing to do with abuse. Further, BAYES does not depend
upon the received headers. But even if you're right about bayes, your
claim that "all of which needs prior..." is at least 2/3 wrong, if not
3/3 wrong.