[Mimedefang] Learn from missed spam?

[David F. Skoll]

On Tue, 16 Dec 2003, Douglas, Jason wrote:

> I would like to set it up so that I can forward a spam message that
> MIMEDefang missed (as an attachment) to a certain account on the
> MIMEDefang server. The users here all use MS Outlook, so I would simply
> be forwarding an email as a .msg attachment (or attachments, plural, if
> I want to forward more than one email at a time).

This will likely not work very well.

First of all, Outlook is notorious for munging messages, so the message
that the system gets trained on might bear little resemblance to the message
as it appeared during the initial SMTP delivery session.

Secondly, unless you authenticate the mail, you're opening up an in-band
channel for training the filter.  A malicious person could train the filter
on all kinds of junk.  Depending on your environment, this might not be
a problem.

The best way to do this kind of thing on a not-very-busy mail server is
to keep a copy of every single message that comes in, at least for a few
days.  Add a header so that the original message can be retrieved easily.
Then when you want to train the filter, have someone forward the message
to be trained.  Pick out your special header, retrieve the *actual* message
as originally seen by sendmail, and then train on that.

Perl code left as an exercise for the reader. :-)

Our commercial CanIt solution does something similar, except we don't
store the entire message -- we store a "pre-digested" set of tokens
that can be fed to the Bayes training engine.  The pre-digested tokens
are typically much smaller than the original message.

Regards,

David.