

Stochastic UCE Detection 
Home  John  Connie  Publications  Software  Correspondence  NtropiX  NdustriX  NformatiX  NdeX  Thanks
A cute application of information theorya 64 line procmail(1) script fragment that can be used to filter spam, (e.g., Unsolicited Commercial Email, UCE, or bulk email.) The fragment can be included in a user's ~/.procmailrc, or system wide /etc/procmailrc files, and establishes a cumulative score of the probability that a specific message is spam. The cumulative spam score consists of scores for header construction, (primarily determined by whether the message was transmitted through open relay, or ISP dial up,) and body content, (primarily determined by the message having an optout clause.) If the message's cumulative spam score is sufficiently high, the message is filed in the user's "spam" mail box folder, (which could be /dev/null.) If sufficiently low, the message is filed in the user's mail box folder, and in between, in the user's "junk" mail box folder. The advantage of the scheme is that the disposition of a message is not dependent on any single characteristic, (for example, the message being transmitted through a black listed machine is not sufficient, in itself, to discard the message.) For analytical details, see the section on Theory, and the Results section contains performance metrics. Description and Walk Through of the Script FragmentMany of the database functions used in the fragment are available from the Email "Received: " Header IP Address Auditing suitemost have alternative implementations using standard procmail constructs. The variable SPAMSCORE is the cumulative spam score, and is initialized to zero; a score of zero means that there was nothing found to indicate the message is spam, a low negative score, say, smaller than 1841022, means that it is a virtual certainty that the message is not spam, and a high negative score, say, larger than 20736769, means that it is a virtual certainty that the message is spam: SPAMSCORE="0" Messages that have a negative cumulative spam score larger than 20736769, (corresponding to six sigma,) will be considered spam. Those larger than 1841022, (corresponding to one sigma,) will be considered junk, and less, valid. These sigma limits are conservative, and somewhat arbitrarythey can be altered to adjust false positive and disposition compromises. Save the machine generated return address of the sender using the formail(1) program that is distributed with procmail: :0 whc SENDER= formail rzx To: Save the trusted return address of the senderthe address is extracted from the "ReplyTo:" and "From:" header records: :0 whc FROM= formail rztx To: Extract the sender's domain name from the machine generated return address of the senderthe domain name will be used in evaluation of header construction: :0 whc DOMAIN= formail rzx To:  sed 's/^.*@//' Query the user's files, ~/.procmail.accept and ~/.mailrc, for the trusted and machine generated return address of the sender. The ~/.procmail.accept file is a Unix flat file database, (i.e., organized in lexical order, all lowercase, and made with sort u; look(1) may be a suitable alternative to bsearchtext(1), which is available from Email "Received: " Header IP Address Auditing.) The file contains all email addresses the user has ever received email from, i.e., it is a white list; it is used to prevent valid email from false positive errors in spam detection. The database can be maintained using the rel(1) full text information retrieval system at NformatiX, which is capable of extracting all addresses with a simple shell script, and converting the addresses to lower case characters: :0 * 1^0 ? bsearchtext r n f "${HOME}/.procmail.accept" \ "${FROM}" "${SENDER}" * 1^0 ? fgrep i s e "${FROM}" "${HOME}/.mailrc" { SPAMSCORE="27384317" } Note that absence of either, or both, file(s), will not be of consequencethe cumulative spam score will remain zero. If the sender's address is found in either the ~/.procmail.accept or ~/.mailrc files, then the sender is known; set the cumulative spam score, SPAMSCORE, to a virtual certainty, (corresponding to 7 sigma in this case,) that the message is valid, and not spam. The following "recipe" is the main determination of the message's cumulative spam score; it evaluates the message's header construction. If a condition is true, the natural logarithm of the probability that the message is spam do to the conditional is added to the cumulative spam score: :0 * $$SPAMSCORE^0 * 3361741^0 !^to: * 6454846^0 ^to:.*[<] *[>] * 6258282^0 ^to:.*undisclosed.*recipient * 4448203^0 ^cc:.*recipient.*list.*not.*shown * 5135798^0 ^received:.*microsoft exchange * 2167692^0 ^received:.*microsoft smtpsvc * 1272966^0 $ !^received:.*"${DOMAIN} * 1257903^0 $ !^messageid:.*"${DOMAIN} * 2217521^0 ^subject:.*! * 10361956^0 ^xadvertisement: * 5855766^0 ^subject:.*adv(ertise(ment)?.*)?([ .:]$) * 5750007^0 ? test "${SENDER}" != "${FROM}" * 1989573^0 !? receivedTodb r m \ "${HOME}/.procmail.addresses" * 5213281^0 ? receivedIPdb r n \ "${HOME}/.procmail.reject" * 2663031^0 ? receivedMSGIDdb r n f ${FROM} \ "${HOME}/.procmail.domains" * 4563378^0 ? receivedUnknowndb r n \ "${HOME}/.procmail.domains" { } SPAMSCORE=$= Walking through the "recipe", starting with the current cumulative spam score, SPAMSCORE:
There are several ancillary searches to the body of a message (specifically, searching for encoding and optout clauses,) that can yield results in spam determination: :0 * < 1000000 { :0 B * $$SPAMSCORE^0 * 1409686^0 base64 * 847052^0 delete * 4750287^0 mailing * 2342018^0 $ ${dq}mailto: * 2125098^0 remove * 1468567^0 unsolicited * 8449986^0 unsubscribe { } SPAMSCORE=$= } Walking through the "recipe", (scan the body of the message if the message's size is less than one MB,) starting with the current cumulative spam score:
Tally the cumulative spam score: If the message's cumulative spam score is greater than an arbitrary six sigma, then file the message in the spam folder: :0 * 20736769^0 * $$SPAMSCORE^0 { } # :0 E: spam Else, if the message's cumulative spam score is greater than an arbitrary one sigma, then file the message in the junk folder: :0 * 1841022^0 * $$SPAMSCORE^0 { } # :0 E: junk Else, the message has a reasonable certainty of being a valid nonspam message; file it in the user's inbox folder. :0: inbox TheoryConsider two archives of email messages. The first, A, contains only spam messages, the second, B, only messages that are not spam, i.e., valid email. In the first archive, A, some messages will have a given characteristic, and some will not. Likewise for the second archive, B. The probability, Pa, that a message in the first archive, A, has the characteristic is the number of messages in the A archive that have the characteristic divided by the number messages in archive A. Likewise, the probability, Pb, of a message having the characteristic in the second archive is the number of messages with the characteristic divided by the number of messages in the archive. Now assume a message, selected randomly, has the characteristicwhat is the probability that it is from the A archive? The B archive? The probability, P, that the message is from the A archive is: P = Pa / (Pa + Pb)and from the B archive: P = Pb / (Pa + Pb) Some sanity tests considering a message with the characteristic, selected randomly from either archive:
Suppose the characteristic is being used to determine the chance that the message is spam. If the message is spam, the message should be classified in the A archive. If not, the B archive. Note that the chance that the message should be classified in the B archive is the probability, Pf, of a false positive, e.g., the message has the characteristic, but is not spam. The probability, Ps, that the message is spam is Pa, e.g., the message has the characteristic and is spam. So, Ps is the probability that a message is spam if it has the specific characteristic. Ps is calculated as the quotient of the number of messages in the spam archive that has the characteristic, and total number of messages in the spam archive. And, Pf is the probability that a message is not spam if it has the specific characteristic, i.e., the probability of a false positive for the characteristic. Pf is calculated as the quotient of the number of messages in the nonspam email archive that have the characteristic, and the total number of messages in the nonspam archive. From information theory, (and the above intuitive argumentsits actually Bayesian Analysis, depending on one's point of view,) the probability, Pt, of a correct assessment that the message is spam is: Pt = Ps / (Ps + Pf) And, the probability of an incorrect assessment is: 1  Pt = 1  (Ps / (Ps + Pf)) = Pf / (Pf + Ps) But for Pf << Ps, and Ps near unity, the probability of an incorrect assessment is approximately Pf, e.g., if one was to make a wager on whether a message with the characteristic is spam, or not, one would do so based on the more on the value of Pf instead of Ps. Note the significance; the probability, Ps, that a message is spam is not as important as the probability of a false positive, Pf. It is a subtle point. If there are multiple characteristics typical of spam, and the probabilities of the false positives of those characteristics are statistically independent, then the probabilities of a false positive, Pf, for each characteristic can be multiplied together to get the overall probability of a false positive in declaring the message spam. Note the scheme. All messages are assumed to be spam, and the probability of a false positive calculatedwhich is counter intuitive. Based on the value of the probability, the message is "bined" against the cumulative of the Normal Probability Function. For example, if a message has a total probability, do to all characteristics, of one standard deviation, i.e., one sigma, then there would be a probability of 15.9% that the message was not spam. For two standard deviations, 2.2%, and three, 0.13%, and so on. Obviously, the more characteristics, the better, and the characteristics that should be selected should have the largest Ps, while at the same time, the smallest Pf, e.g., for all characteristics, Pf << Ps. Note that the issue is that the problem is really underspecified, (see Combining Probabilities for particulars,) requiring a heuristic/engineered solution: the statistics on a very large email archive, (32,000 messages in this casegiving a statistical precision of about 1 / 32,000, or about 4 sigma,) is measured, and the empirical spam limit set such that none of the legitimate email messages would be rejected; anything above that limit is considered spam, and can be rejected outright. ImplementationProcmail has a conditional summation mechanism: SCORE="0" # :0 * 1^0 a condition * 2^0 a different condition * 3^0 another different condition { SCORE=$= } where the value of the variable SCORE is zero if no conditions are true, unity if only the first, three if only the third, four if the first and third are true, and so onits a weighted scoring technique. To use cumulative weighted scoring with probabilities, the numbers must be logarithmssince they must be multiplied together for each true conditional; summing logarithms of numbers is the same as multiplying the numbers together, (note that the sum of the logarithms of the probabilities is the same as the chisquare of a uniform distribution with n many degrees of freedom, 2 * sum ln (pn), for the probabilities, pn, without multiplying by 2.) For example, suppose that the first condition has a probability of a false positive, Pf, of 10%. The second 20%, the third 30%. The natural log of 0.1 = 2.3026, and 0.2 = 1.6094, and 0.3 = 1.2040. So the previous construct would look like: SCORE="0" # :0 * 2.3026^0 a condition * 1.6094^0 a different condition * 1.2040^0 another different condition { SCORE=$= } which can be compared against the natural logarithm of the cumulative of the Normal Probability Function for combined false positive rates:
where the standard deviation values were computed by the sigma program. The table allows "bining" of messages by standard deviation of probability of false positive. These valuesmultiplied by 1000000, and truncated for integer arithmeticwere then used in the fragment script for production. As an example, suppose all three conditions in the above example construct were true; then the value of the variable SCORE would be 5.116, (or between a two and three standard deviationactually, 2.5122the probability of a false positive.) As a check, e^5.116 = 0.006, which is 0.1 * 0.2 * 0.3. A 2.5122 standard deviation would represent a probability of 1 in 167 of a false positive. Historical Perspective and Implementational AsidesDetermining relevance of documents to a set of keywords, (or keyword counts in other documents,) is not new. As far as I know, the first mention of the concept was by none other than Vannevar Bush in an extension to the Memex Machine. (For details, see "From Memex to Hypertext: Vannevar Bush and the Mind's Machine," James M. Nyce, Paul Kahn, Academic Press, Inc., Boston, ISBN 0125232705, 1991, pp. 145164, specifically, the section on page 156 titled The Statistical Machine, explored by Bush's student assistants starting in 1938with marginal success in cryptographics through 1943.) For example, most Internet search engines work that way, as do most email archive retrieval systems, (like the rel program.) However, note that, in some abstract sense, what is done in this implementation is the exact oppositean email is assumed to be spam/UCE, and combined chances of a false positive in the assumption calculated; if the combined chances of a false positive are not sufficiently small, the assumption is rescinded. Note the subtle differencethe problem is not in determination of whether a specific email is spam/UCE, but whether the confidence in that determination is enough to assert a decision about it; its similar to political polls where a confidence interval around an empirical metric is used to judge the quality of an assertion. Also, this implementation does not look into the body of an email message to determine relevance to spam/UCE criteria, (such as word instance counting, or probabilities.) Only the header and construction of the body is analyzed; although word instance calculations could be used, procmail(1) is probably not the preferred choice, since multiple word parsing of large documents is a computationally expensive exercise with regular expressions. (See: Paul Graham's suggestions for a better alternative.) Additionally, as another procmail(1) expediency, Bayes' Rules, (see also, Paul Graham's comments,) for conditional probabilities is approximated by using the product of the chances of the conditional false positives, Pf, which is valid if, and only if, all the conditional Pfs are much less than unity, (which is a reasonable, and conservative, approximation when working with well chosen false positive criteria, e.g., Pf << Ps and Pf << 1, which is the technique/methodology used in this implementation.) Since the technique/methodology depends on determining the combined probability of false positives as a decision criteria, it is closer to informationtheoretic techniques than traditional methods of Bayes' Natural Language inferencethus the name, Stochastic UCE detection. Empirical DataThe spam statistics shown in TABLE I were derived from an email archive consisting of 31,632 messages. The dates on the messages spanned July 1993, to July 2001. 1302 of the messages were spamall from May 2001 to July 2001. The archive was divided into two archives; one containing nonspam messages, the other containing only spam. The procmail script fragment was modified: :0: Hc * !^to: /home/user/noto # :0: Hc * ^to:.*[<] *[>] /home/user/tobrackets # :0: Hc * ^to:.*undisclosed.*recipient /home/user/toundisclosed # :0: Hc * ^cc:.*recipient.*list.*not.*shown /home/user/ccrecipient . . . and so on, for each conditional in TABLE I. The script was executed on the Email archive with the shell command: for i in Email/* do procmail /home/user/fragment < $i done and the email in the various files in /home/user created by the fragment script counted: egrep 'From ' /home/user/noto  wc The fragment script was then used on the Spam directory, and the results for both the Email and Spam directories tabulated for TABLE I. The values from TABLE Imultiplied by 1000000, and truncated for integer arithmeticwere then used in the fragment script for production.
[1]Although no valid messages were found in the email archive with the "^to:.*< *>" characteristic, that doesn't mean that messages do not exist with the characteristic. A conservative assumption would be that the next message in an archive of 31,632 messages would have the characteristicmessage number 31,633 does. Or, a virtual certainty is one in 31,633, or a probability of 1  3.16125565E5. Note the implication; If a message has a probability of 1  3.16125565E5 of being spam, then it is a virtual certainty that it is spam, do to data set size limitations. [2]An "XAdvertisement:" header was proposed by the industry to identify spam messages. It never worked out, and none were found in either the spam or email archive. Assume none found in the email archive, some found in the spam archive, or a virtual certainty of 1  3.16125565E5 based on data set size limitations. [3]For nonspam email using Microsoft Exchange and IIS as the MTA, the email archive consisted of 3042 messages. The dates on the messages were restricted to spanning January 1, 2000, to July 2001 to provide a representative false positive rate. Neither product was deployed in significant numbers prior to January 1, 2000. ResultsCombining the messages in the Email and Spam directories from the Empirical Data section, and consecutively executing the fragment script with procmail resulted in 72.4750277%, (or almost three forths,) of the spam messages being filed in the spam mail box folderthere were no false positives due to conservative false positive settings. Production metrics validate the statistics, and 53.164556962% of the messages from someone a user has never corresponded with before will be filed in the junk folder, with no false positives in the spam folderthere were no false positives due to conservative false positive settings. Note: the default conservative false positive settings are suggested due to small data set size31,632 messages, of which 1,302 were spam. Small data set size increases the chances of a false positive, substantially, above predicted values. For example, a reliable false positive incident rate estimate of one in a billion, (6 sigma,) would require a data set size of over a billion messages. The fragment averages under a tenth of a second of CPU time (on a single CPU 433MHz Pentium class machine,) to deliver a message. A less conservative, more aggressive, technique, with small data set sizesAs example methodology of working with smaller data set sizes, the fragment was used on several days of email and spam messages, which were archived for evaluation of the SPAMSCORE variable. There were 42 email messages, (from email addresses never corresponded with before, i.e., the query always returned negative,) and 93 spam messages. For email, the SPAMSCORE ran between 0 and 15,325,371, and for spam, between 1,989,573 and 57,849,849. The average SPAMSCORE, using the tsavg program, for email was 3,643,522.809524 and 21,478,120.290323 for spam. The root mean square of the SPAMSCORE, using the tsrms program, for email was 5,347,103.873589 and 25,052,060.683733 for spam. From the tsstatest program, the average SPAMSCORE for email was 3,643,522.809524, with an estimated error of 2,151,016.649996 = 59.036728%, and 21,478,120.290323 for spam, with an estimated error of 6,727,700.056786 = 31.323505%. The root mean square of the SPAMSCORE for email was 5,347,103.873589 with an estimated error of 1,520,998.459658 = 28.104602%, and 25,052,060.683733, with an estimated error of 4,757,202.331943 = 18.886897% for spam. The estimated error was for a 99% confidence interval. The false positive incident rates can be computed from the root mean square values. The confidence interval adjustment to the root mean square value for email is 5,347,103.873589 1,520,998.459658 = 6,868,102.33323, and 25,052,060.683733  4,757,202.331943 = 29,809,263.0156 for spam. What this means is that if we repeat this evaluation on different archives of email and spam many times, 99% of the time, the root mean square values will be less than 6,868,102.33323 for email, and 29,809,263.0156 for spam; and 1% more. So, those are very conservative estimates on the root mean square values. A false positive rate of 4 sigma, (corresponding to 1 in 31,574.3873622,) would require a negative spam score greater than 3,643,522.809524 2,151,016.649996  (4 * 6,868,102.33323) = 30,034948.7924. For a 3 sigma false positive rate, (corresponding to 1 in 740.796695584,) the value would be 26,398,846.4592, (or, since the average for spam is 21,478,120.290323 6,727,700.056786 = 28205820.3471, assuming a right tail confidence level, or a setting of between 3 and 4 sigma would have a false positive rate between 1 in 741 and 1 in 31,574, while rejecting approximately half the spam, everything greater than the average spam score, 28205820.3471.) The frequency distribution of values for SPAMSCORE for email and spam is graphed in Figure I, (which is available in larger size jpeg, PostScript, or PDF formats.) The aberration in the spam frequency having a value at a SPAMSCORE greater than zero is the result of numerical stability issuesin subtracting the average from the time series for plotting with the tsnormal program. (As an aside, look at the large proportion of email that had a perfect SPAMSCORE of zeroshowing a great deal of craftsmanship by the email system folks in the industry.) Figure I. Relative Frequency of SPAMSCORE Values, EMail and SpamFigure I shows that, although the numerical analysis is about right, and using a negative spam score slightly larger than the largest value found in email, (15,325,371, corresponding to a 5.06 sigma value,) would suffice, and would reject 73.1182796% of the spam archive, with no false positives in the email archive. Note that the frequency distributions are skewed toward zero, (indicating that the distributions are not normal error functions,) biasing the analysis to higher values. (The numerical methods used in the analysisparticularly the statistical estimation and root mean square calculationswere predicated on a Gaussian/normal frequency distribution.) Note that this is an example methodology, and a more sophisticated approach would automate the Empirical Data collection, and numerical methods in this sectiondynamically updating the variables in the fragment section in user's ~/.procmailrc file. This would require users to "bounce" spam to an email archive, perhaps implemented with the rel(1) full text information retrieval system at NformatiX. The accuracy of the variables would be refined as the archive increases in size, raising the confidence level of the statistical estimatealthough it is doubtful that more than 80%90%, (about one standard deviation,) of the spam could be removed using this methodology. However, even with small data set sizes, those numbers can be approached. ExtensionsThe database programs used in the procmail fragment are from the Email "Received: " Header IP Address Auditing web page. Additionally, the fragment is compatible with Quarantining Malicious Outlook Attachments fragment. For maintaining email and spam databases as a full text information retrieval system, the programs at NformatiX can be used. Note that the fragment is very effective at determining the likelihood of a message being from an unknown valid user, as opposed to being spam, making Certified Mail Delivery and SMTP based sender authentication a reasonable proposal. If dynamic update of database information is desired, the constant databases used in the Email "Received: " Header IP Address Auditing suite can be replaced with cdb from D. J. Bernstein. AddendumAs an example of adding a spam conditional to the fragment, it was observed that the Quarantining Malicious Outlook Attachments fragment performed fairly well as a spam detector. 1994 recent nonspam email were placed in a directory, and 235 recent spam messages in another. The fragment was "hacked" to file the messages in one of two folders, one containing messages with potentially malicious attachments/content, and the other nonmalicious. The fragment was run on both directories with a single line shell script, and it was found that 137, (137 / 235 = 0.582978723,) of the spam messages contained malicious content, vs, 265, (265 / 1994 = 0.132898696,) for the email directory. The value for 1  Pt, (from the Theory section,) would be 0.132898696 / (0.132898696 + 0.582978723) = 0.185644487. And converting to a procmail conditional value, 1,000,000 * ln (0.185644487) = 1,683,921.79603, or the procmail conditional would look like: * 1683922^0 ? test "${MALICIOUS}" gt "0" where the value of $MALICIOUS is 1 if the message contains potentially malicious attachments, or 1, if it doesn't. The entire process took under 15 minutes. So, the data in TABLE II:
could be included in TABLE I, also. As another example of adding a spam conditional to the fragment, it was observed that a significant amount of spam contained URL addresses with dotted quad notation, (i.e., of the form "http://123.123.123.123".) 34105 nonspam email were placed in a directory, and 901 recent spam messages in another. Both directories were searched, using "egrep il 'http://[09]+\.[09]+\.[09]+\.[09]+'", and it was found that 174 (174 / 901 = 0.193118757,) of the spam messages contained URL addresses with dotted quad notation, vs, 87 (87 / 34105 = 2.55094561E3,) for the email directory. The value for 1  Pt, (from the Theory section,) would be 2.55094561E3 / (2.55094561E3 + 0.193118757) = 1.30369985E2. And converting to a procmail conditional value, 1,000,000 * ln (1.30369985E2) = 4,339,963.92906, or the procmail conditional would look like: * 4339964^0 http://[09]+\.[09]+\.[09]+\.[09]+ The entire process took under 10 minutes. So, the data in TABLE III:
could be included in TABLE I, also. As another example of adding a spam conditional to the fragment, it was observed that a significant amount of spam contained "^ContentType: text/html" records in the header in an effort to format the message automatically. 34786 nonspam email were placed in a directory, and 754 recent spam messages in another. Both directories were searched, using a short procmail script, and it was found that 373 (373 / 754 = 0.49469496,) of the spam messages contained the content header, vs, 18 (18 / 34786 = 5.17449549E4,) for the email directory. The value for 1  Pt, (from the Theory section,) would be 5.17449549E4 / (5.17449549E4 + 0.49469496) = 1.04490424E3. And converting to a procmail conditional value, 1,000,000 * ln (1.04490424E3) = 6,863,830.03024, or the procmail conditional would look like: * 6863830^0 ^contenttype:[ ]+text/html So, the data in TABLE IV:
could be included in TABLE I, also. Note that this conditional is not statistically independent from the above conditional: * 1683922^0 ? test "${MALICIOUS}" gt "0" There is a slight interaction, (depending on whether the HTML code has extensions, or not.) As yet another example of adding a spam conditional to the fragment, it was observed that a significant amount of spam contained "optout" clauses in the body of the message. 35628 nonspam email were placed in a directory, and 1208 recent spam messages in another. Both directories were searched, using a short egrep(1) script with [^az]opt?(inout)[^az] as the search argument, and it was found that 142 (142 / 1208 = 0.117549669,) of the spam messages contained the "optout" clause, vs, 60 (60 / 35628 = 1.68406871E3,) for the email directory. The value for 1  Pt, (from the Theory section,) would be 1.68406871E3 / (1.68406871E3 + 0.117549669) = 1.41240956E2. And converting to a procmail conditional value, 1,000,000 * ln (1.04490424E3) = 4,259,873.03136, or the procmail conditional would look like: * 4259873^0 [^az]opt?(inout)[^az] So, the data in TABLE V:
could be included in TABLE I, also. As yet another example of adding a spam conditional to the fragment, it was observed that a significant amount of spam contained machine generated "ReturnPath: header records. 4075 nonspam email were placed in a directory, and 1019 recent spam messages in another. Both directories were searched for "ReturnPath: " records using a short egrep(1) script with .*[=+?].*[=+?].*@, .*[09][^09].*@, and, [09][09][09][09][09][09].*@ as search arguments, and it was found that 22 (22 / 1019 = 2.15897939E2,) of the spam satisfied the .*[=+?].*[=+?].*@ search criteria, 163 (163 / 1019 = 1.59960746E1,) satisfied the .*[09][^09].*@ criteria, and, 47 (47 / 1019 = 4.61236506E2,) the [09][09][09][09][09][09].*@, vs, 144 (144 / 4075 = 3.53374233E2,) for .*[=+?].*[=+?].*@, 83 (83 / 4075 = 2.03680982E2,) for .*[09][^09].*@, and, 6 (6 / 4075 = 1.47239264E3,) for [09][09][09][09][09][09].*@. The values for 1  Pt, (from the Theory section,) respectively, would be 6.20747422E1, 1.12949752E1, and, 3.093518992E2. And converting to a procmail conditional value, respectively, 1,000,000 * ln (6.20747422E1) = 476,831.00830, 1,000,000 * ln (1.12949752E1) = 2,180,812.23406, and, 1,000,000 * ln (3.093518992E2) = 3,475,860.91079, or the procmail conditional would look like: * 476831^0 ^returnpath:[ ]+.*[=+?].*[=+?].*@ * 2180812^0 ^returnpath:[ ]+.*[09][^09].*@ * 3475861^0 ^returnpath:[ ]+\ .*[09][09][09][09][09][09].*@ So, the data in TABLE VI:
could be included in TABLE I, also. Note that the conditionals are not statistically independent, and only one should be usedprobably: * 3475861^0 ^returnpath:[ ]+\ .*[09][09][09][09][09][09].*@ As yet another example, the word frequencies in the bodies of 1,291 spam email were compared against the frequencies in the bodies of 4,172 nonspam email by modifying the source code to the rel program from the NformatiX site to find word instance frequencies in both the email and spam archives. After constructing several word instance frequency databases, (structured as described in the Theory Section, above,) using modified versions of the bsearchtext program from the ReceivedIP page, the following procmail(1) script was used to evaluate the effectiveness of body word frequency counts on both the spam and email archives: :0 B * 12272912^0 # * 8449986^0 ([^az]^)unsubscribe([^az]$) * 8021776^0 ([^az]^)refinance([^az]$) # * 4750287^0 ([^az]^)mailings?([^az]$) * 4339964^0 http://[09]+\.[09]+\.[09]+\.[09]+ * 4259873^0 ([^az]^)opt?(inout)([^az]$) * 3792871^0 ([^az]^)advertise(ments?ingrs?)?([^az]$) * 3150439^0 ([^az]^)unbelievable([^az]$) * 3059374^0 ([^az]^)testimonials?([^az]$) * 2957743^0 ([^az]^)promo(t(er?ion(al)?or))?([^az]$) * 2903651^0 ([^az]^)remov(ed?al)([^az]$) * 2596350^0 ([^az]^)obligat(eion)([^az]$) * 2570780^0 ([^az]^)shop(p(ering))?([^az]$) * 2342018^0 $ ${dq}mailto: * 2315228^0 ([^az]^)financial(ly)?([^az]$) * 2281832^0 ([^az]^)solicit(ed)?([^az]$) * 2185652^0 ([^az]^)guaranteed?([^az]$) * 2176775^0 [az][<]!.*[>][az] * 2155985^0 ([^az]^)sales?([^az]$) * 2114136^0 ([^az]^)shipp(inged)?([^az]$) * 2067398^0 ([^az]^)subscribe(dr)?([^az]$) * 2009818^0 ([^az]^)amaz(inged?ment)([^az]$) * 1987624^0 ([^az]^)excit(inged?)([^az]$) * 1939682^0 ([^az]^)absolutely([^az]$) * 1893703^0 ([^az]^)reveal(inged)?([^az]$) * 1859794^0 ([^az]^)satisfaction([^az]$) * 1843555^0 ([^az]^)incredibl(ey)([^az]$) * 1719232^0 ([^az]^)apologize([^az]$) * 1685899^0 ([^az]^)introduc(et(ionory))([^az]$) * 1684561^0 ([^az]^)nationwide([^az]$) * 1675751^0 ([^az]^)media([^az]$) * 1661918^0 ([^az]^)profit(a(blebly))?([^az]$) * 1655808^0 ([^az]^)inform(ed)?([^az]$) * 1644924^0 ([^az]^)membership([^az]$) * 1636605^0 ([^az]^)secret(ly)?([^az]$) * 1592008^0 ([^az]^)income([^az]$) * 1543566^0 ([^az]^)market(inged)([^az]$) * 1479205^0 ([^az]^)success(ful(ly)?)?([^az]$) * 1468567^0 ([^az]^)unsolicited([^az]$) * 1468426^0 ([^az]^)unlimited([^az]$) * 1444170^0 ([^az]^)inexpensive([^az]$) * 1409686^0 base64 * 1408312^0 ([^az]^)ultimate([^az]$) * 1293646^0 ([^az]^)credit(ors?)?([^az]$) * 1289173^0 ([^az]^)newsletter([^az]$) * 1283100^0 ([^az]^)opportunity([^az]$) * 1258696^0 ([^az]^)dealer(ships?)?([^az]$) * 1255685^0 ([^az]^)immediate(ly)?([^az]$) * 1135436^0 ([^az]^)invest((orment)s?)?([^az]$) * 1045145^0 ([^az]^)million(aires)([^az]$) { :0 * 8336151^0 * $${SPAMSCORE}^0 { SPAMSCORE="$=" } } The conditionals, (for constructional convenience, the logic was inverted from above,) were chosen such that the instance of a specific word increased the SPAMSCORE by the largest amount, while at the same time, having the smallest chance of a false positive, (e.g., choosing the the largest values of 1,000,000 * ln (Pf / (Pf + Ps)),). The two words "unsubscribe" and "mailings" created significant false positive issues with mailing list administrative traffic, (the kind that is distributed monthly containing "As a reminder, you are subscribed to the ... mailing list",) and were commented out to significantly decrease the false positive incident rate. The limit 12272912 was found empiricallyit is the value at which there are no false positives of the script on the email archive; and since there were 4,172 email in the archive, a conservative assumption would be that the next email would be a false positive, or the false positive rate equivalent number in the procmail script would be 1,000,000 * ln (1 / 4172) = 8,336,150.81612; which corresponds to about a 3.5 sigma false positive rate. The evaluation:
Allinall, searching for word frequency rates, (using Bayesian methods,) in the body of email messages seems to be an inferior strategy for spam detection, compared to analyzing only message header information. However, there was a 2% increase in accuracy when using both message header information and word frequency rates in the body of email messages; but at a cost of about a 50% increase in computational resource requirements. At issue is the rather high entropy of the English languagewhich is why word incident counting and frequency rates are poor indicators of relevance of a document to a specific criteria. (Note: there were five words, of an adult nature, that were omitted from the script, above, to keep it out of the Internet's search enginesfor a complete script, contact john@email.johncon.com.) AddendumNote that base64 encoded email message bodies have to be decoded for Bayesian methods. However, such hiding of text is used most frequently in UCE. 37121 nonspam email were placed in a directory, and 3830 recent spam messages in another. Both directories were searched, using a short egrep(1) script with [^az]base64[^az] as the search argument, and it was found that 700 (700 / 3830 = 0.182767642,) of the spam messages contained the "base64" keyword, vs, 548 (548 / 37488 = 1.46180111E2,) for the email directory. The value for 1  Pt, (from the Theory section,) would be 1.46180111E2 / (1.46180111E2 + 0.182767642) = 7.40581304E2. And converting to a procmail conditional value, 1,000,000 * ln (7.40581304E2) = 2,602,904.94874, or the procmail conditional would look like: * 2602905^0 [^az]base64[^az] So, the data in TABLE VII:
could be included in TABLE I, also, and would preclude having to decode the base64 encoded body of the message. Note, also, that if the header exists: * 2602905^0 ^contenttransferencoding:[ ]+base64 that the body would not have to be searched, either. However, of the 3830 spam email messages, 696 had the "ContentTransferEncoding: " in the header of the message, and only 2 out of 37488 nonspam messages, so the the spam score could be increased to 1,000,000 * ln (5.33504055E5 / (5.33504055E5 + 0.181723238)) = 8,133,652.09579, or: * 8133652^0 ^contenttransferencoding:[ ]+base64 ThanksA special note of appreciation to Stephen R. van den Berg, (AKA BuGless,) the author of procmail, who for nine years developed and supported the procmail program, (the "email system administrator's crescent wrench,") for the Internet community. The weighted scoring conditions used in this implementation of UCE filters was added to procmail by van den Berg in June of 1994 with the release of version 3.0, and has successfully been used to filter UCE since that time, (portions of the above script date back to late 1994.) Some Procmail and Email "Received: " Header IP Address Auditing How To/Cookbook Examples
LicenseA license is hereby granted to reproduce this software for personal, noncommercial use. THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY. So there. Copyright © 19922005, John Conover, All Rights Reserved. Comments and/or problem reports should be addressed to:

Home  John  Connie  Publications  Software  Correspondence  NtropiX  NdustriX  NformatiX  NdeX  Thanks