SpamHash/NaiveHamTest

From ThorxWiki
(Difference between revisions)
Jump to: navigation, search
(+hamtest notes)
(-HT75 is done)
Line 59: Line 59:
 
|| to be tested
 
|| to be tested
 
|-
 
|-
||'''75''' || to be tested || to be tested
+
||'''75''' || to be tested ||
  +
/usr/bin/time
  +
85721.13user 1393.59system 27:08:07elapsed
  +
1%CPU (0avgtext+0avgdata 0maxresident)k
  +
0inputs+0outputs (63963major+75559066minor)pagefaults 0swaps
  +
* hashes: 60080
  +
* catches: 1199
  +
Oneline summary: 2% false positives = not acceptable
 
|}
 
|}
   

Revision as of 23:26, 5 April 2009

Contents

Testing SpamHash on a ham stream, naive start.

Why?

I expect ham to be, by it's very nature, unique and thus immune to the similarity testing that spamsum performs. If this can be proved to be, then spamhash could be run native on an incoming mail stream, and not require a spampot.

Original notes

  • Is a spampot even nescessary? Couldn't this simply be run on a complete email dataset? Afterall, it works by allowing through the first instance of every unique email anyway, and ham tends to be relatively unique, whilst spam tends to come in repetitive sets...
    • Yes... in simple testing, simply quoting an email in response makes it quite dissimilar, and their reply (which should be the next that spamsum sees) will have two levels of reply! (TODO: get numbers)
    • TODO: test simply by feeding a weeks corpus of ALL my regular email through spamsum, simulating this.
      • Do this twice: Once naively, once with pre-learnt hashDB from the spampot
      • Then do it another way: over a known 100% ham corpus? (save a corpus of ham messages to MH or maildir format)
      • Expectation: this will be effective, except possibly for email memes. (if the same funny picture is sent to you twice, even by different people, they will be base64 encoded the same and thus show up as being EXTREMELY similar (how common this is should show up in the 100% ham corpus test)

Ham Corpus

The ham corpus is my personal email archive.

I combined most mailfolders I currently have (the only notable exception being the archive from an nntp->smtp gateway, as this cannot be considered representative of genuine email. The nntp archive represented some 50,000 messages!) All other mail (personal, email lists, etc) was added in, then sent mail filtered out (via mutt's $alternates). Some obvious spam which had crept in (mainly via one buggy list) were also removed, but this cannot be said to be comprehensive. The resulting archive was then cropped to the 11year window of 1998 to 2008 inclusive.

This filtering combined to reduce my personal mail archive from approx 120000 messages to 61277 (637MB in mbox format).

Finally, the mail was saved to Maildir format with modified filename. The format used is: "YYYYMMDD-HH:MM:SS.<string>.8charmd5:2,". This allows for simple commandline listing of messages in chronological order. We set <string> to name the corpus - allowing for future mixing of ham and spam and spampot corpuses without losing original per-message definitions.

Test procedure

The ham corpus was run through a script to simulate chronological delivery and filtering via procmail.

  • This was run several times:
    • each subsequent test twice: once with and without spamsum's "-H" option (ignore email headers)
    • threshold scores of 25, 50 and 75 (and possibly others dependant on the results seen here, and in equiv spam corpus testing

Test machine

933Mhz PIII

Results

Spamsum threshold (-Txx) Including headers Excluding headers (-H)
25 to be tested

/usr/bin/time:

18878.18user 1146.58system 6:56:08elapsed
80%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs
(63875major+75779350minor)pagefaults 0swaps
  • hashes: 30181
  • catches: 31096

One word: abysmal

50

/usr/bin/time:

44472.83user 1264.18system 15:32:24elapsed
4%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs
(64143major+75657421minor)pagefaults 0swaps
  • hashes: 44070
  • catches: 17207

One word result: terrible

to be tested
75 to be tested

/usr/bin/time

85721.13user 1393.59system 27:08:07elapsed
1%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (63963major+75559066minor)pagefaults 0swaps
  • hashes: 60080
  • catches: 1199

Oneline summary: 2% false positives = not acceptable

Raw result data available on request

Analysis

Personal tools
Namespaces

Variants
Actions
Navigation
meta navigation
More thorx
Tools