Working Bayesian Mail Filter 313
zonker writes "A real, working honest to god Bayesian spam filter. I've been waiting for something like this for a while (since I first read Paul Graham's research paper on this very topic a few weeks ago). Well here's POPFile, a small but extremely effective Perl script that runs on just about any system Perl does. After just a little training was I able to get very effective filtering out of it. From what I understand the new email client that comes with OS X Jaguar has a feature similar to this, but I don't know if it is true Bayesian. Hopefully this kind of feature will become more prevalant in client software as I see the Google results for it are growing."
spambayes.sf.net (Score:5, Informative)
Re:Whas that? (Score:4, Informative)
bogofilter (Score:4, Informative)
Bayes Explained (Score:1, Informative)
Pr(h|D) = Pr(D|h) * Pr(h)
where Pr is probabilty, h is the hypothesis and D is the data. In this case it would be
Pr("SPAM"|Email) = Pr(Email|"SPAM") * proportion of spam.
The trick is how to estimate the second term. This is a very popular machine learning algorithm due to its simplicity and elegance. For more info, check out this link Bayes [cmu.edu]
Re:Whas that? (Score:5, Informative)
A couple of URLs quickly found on Google:/ section-7.html [faqs.org] a ssets/images/week09.pdf [monash.edu.au]
http://www.faqs.org/faqs/ai-faq/neural-nets/part3
http://www.csse.monash.edu.au/courseware/cse5230/
Also, any decent AI/machine learning textbook ought to cover the topic.
-DVK
Re:Sure it's promising (Score:5, Informative)
Future systems (assuming faster processors and more HD space) could include semantic analysis (e.g., Latent Semantic Analysis) to do an even better job and go beyond the word level.
Re:Bayes Explained (Score:5, Informative)
It should be:
Pr(h|D) = Pr(D|h) * Pr(h) / Pr(D)
and:
Pr("SPAM"|Email) = Pr(Email|"SPAM") * (proportion of spam) / (probability of getting this paticular Email)
SquirrelMail has a Bayesian plug-in (Score:4, Informative)
SquirrelMail [squirrelmail.org] is a WebMail client implemented in PHP. I use the client, but not the plugin (I use Razor [sourceforge.net]).
Uhmm.. like bogofilter? (Score:3, Informative)
Re:Bayesian? Wow!!! I'm sooo excited. (Irony!) (Score:1, Informative)
On the other hand, Naive Bayes is usually easier to implement, easier to tune, and only trails by a few percentage points.
One of the more promising bayes units is autoclass, offered by Cheeseman (et. al.) - public domain classifier that's been around for years and years, and seems to perform quite nicely.
Re:Sure it's promising (Score:4, Informative)
Another important point is that there are some things that they can't hide, at least not in their current working model. If they're trying to sell you something, they have to describe what that thing is and where you can get it, and those descriptions are unlikely to be in any legitimate email. If they want to advertize a web site, they have to include its URL in the message, and the filter can catch that. If they advertize a physical address or phone number, the system can catch those, too. If they don't repeat the message, it means that there's inherently less spam, because I'm only seeing each add once.
It's also not possible to disguise everything in their headers, so things like their posting host (either the one they pay for legitimately or any open relay they're taking advantage of) will wind up being a pointer to who they are. They certainly can't change anything about the headers that's added downstream of their posting host, so as long as they keep using the same one it's likely that there will be characteristic stamps there that the spammers absolutely can't change. I know that analysis of the headers is part of bogofilter [sourceforge.net], another Bayesian filter that I've been using to good effect.
Re:Sure it's promising (Score:4, Informative)
Bogofilter [sourceforge.net] comes close to this. It has an operating mode where each file that it filters is automatically added to the appropriate corpus, either of spam or non-spam. Since it's correct the vast majority of the time, that means that there's very little for the user to do. When it is wrong, you just take the messages that it miscategorized and feed them back into the system with the notation that they were originally marked incorrectly, and it backs out the changes to the wrong category and adds them to the correct category.
I'm using bogofilter with Evolution [ximian.com], and it works very well. I just have two extra folders, one for false negatives and one for false positives. When I notice mail that's been flagged incorrectly, I drag it into the appropriate folder and run a script that tells bogofilter to correct its mistake. Then I either flush the mail (if it was spam marked as non-spam) or process it normally (if it was non-spam marked as spam). I've only been using it for about two weeks and it already has a nearly zero false positive rate (i.e. incorrectly flagged as spam) and a usefully low false negative rate (i.e. incorrectly flagged as legitimate).
Re:You know what I'd kill for? (Score:3, Informative)
It might be smarter to read the article, than killing someone.
You could have installed the program for Outlook in the time it took you to type your rant, but then you would not get any Mod point would you.
Re:Whas that? (Score:5, Informative)
I also highly recommend this link [paulgraham.com], as it goes into quite a lot of detail on this filtering technique. After reading it, I am going to give the Perl variation a shot.
Re:Bayes Explained (Score:4, Informative)
Where's the news? (Score:4, Informative)
Do a freshmeat search for bayespam, bogofilter and spamprobe, they're all working and quite mature bayesian filters (or should we say "paulgrahamian" in order to appease the "true bayesian" crowd). Hell, even a search for "bayes" will turn out a few more hits, like ifilter, which aims to automatically classify mail in different folders, but could be easily tuned to filter out spam.
Of these, I think spamprobe is becoming the true "swiss army knife" of "bayesian" filtering; I did find both bogofilter and bayespam spartan, but they work well. spamprobe, on the other hand, is very actively maintained, is under constant improvement by the author, Brian Burton, and has given me excellent results getting rid of over 90% of my spam.
Re:*BUT* it's a Perl script... (Score:2, Informative)
But perl scripts are just as easy to run as .exe files, so long as you have the perl interpreter installed. So now it's just a two step process:
This is not exactly brain surgery. Perl can be installed on essentially any system you choose to name, with no more trouble than installing any other executable. For those people running Windows, there's an excellent port available from Activestate [activestate.com]. As somebody else pointed out, this means that a perl script is actually available to more people than a .exe would be, because it's truly cross-platform.
Re:Professional Looking Spam May Be Impossible (Score:3, Informative)
Re:Is this intended for server, client, or both? (Score:4, Informative)
The very design of the whole system specifies that anyone can just turn on a machine, hook it up to a network somewhere, and start spewing out messages to smtp ports all over the world.
It doesn't have to be a sendmail, qmail, or exim server, remember. Some Windows viruses have taken advantage of that loophole to set up mini-SMTP servers in the network stack to continue propagating viruses without needing to connect to anything that provides authenticated external relay.
Re:Ximian Evolution? (Score:2, Informative)
With some cleverness, you can use any outside filter with the most recent version (i.e. the develpment fork) of Evolution. They've added the ability to pipe incoming messages to an outside program and read back the exit code. So if the program is written using standard Unixisms- i.e. it reads on standard input and returns a different value depending on whether the incoming message is spam or not- it can be used with Evolution. I know that bogofilter [sourceforge.net] can do this because I'm using it with Evolution and it works pretty well.
Missing the point? (Score:5, Informative)
This is what POPFile is for. Its a pop3 proxy server, it sits between your pop3 client and the server and simply adds a classification to the headers (or the subject line for braindead mail clients).
Currently POPFile is a bit rough on computer newbies, it needs a Perl install and such. However, if you read the forums it is intended to end up as an easily installed executable for windows users and to remain a nifty little perl script for the rest of the platforms where it might come in handy. So when those pesky friends and relatives come asking about all the viagra and farmyard spam they get (and you haven't already set them up on your tightly filtered mail server) set up POPFile for them.
Also, its not just for spam filtering. Think of what you could do if you could go beyond simple rules for your inbox. Want email you think is important forwarded to your phone? Create a category for important email and go through your archives and feed POPFile email you would have wanted forwarded instantly. Create a new folder to recieve those mails and watch it for a few days, retraining POPFile until it is getting reasonably good at putting important mail in there. Now set up your mail system to forward those to your phone. Will it work? I don't know, but based on the results I'm getting, it probably would. How about using it to filter help desk emails?
Re:Sure it's promising (Score:2, Informative)
Since I use Jaguar's mail client, I just told it that these were spam too and now it catches them by itself.
Re:Bayes Explained (Score:4, Informative)
The trick is derive a statement like: "If an x-ray has this feature, the patient has NN % chances of having breast cancer. THAT's useful tor screening, but it doesn't follow from the first statment (without some serious statistical calculations).
Bayes theorem has all sorts of applications in prediction. In the case of E-mail, we can greatly oversimply and say "We found that X% of E-mails with this subject line are Spam." "We conclude that an E-mail with this subject line has Y% odds of being spam." Note that these are two very different statements. If we can find Y for the second statement and set a threshold we're comfortable with, say, 95% then we can create a filter with 95% confidence of correctness; it may well be wrong 5% of the time.
Other responses have done a good job with the math so I won't repeat it here.
Re:Bayes Explained (Score:1, Informative)
Thanks for posting the (correct) general form of the equation, though.
Re:Bayesian? Wow!!! I'm sooo excited. (Irony!) (Score:1, Informative)
NOT TRUE! The Bayesian approach can use the full correlation matrix without diagonalization, e.g., you can write the algorithm to correctly account for the fact that a probability of word A, given that word B is also in the email, is not the product of the probabilities of A and B separately. The only downside is that the number of weight the database contains goes as N^2, so storage space and speed can lack.
Re:*BUT* it's a Perl script... (Score:3, Informative)
I don't think an
In general this illuminates one of the advantages of Unix. Lots of programs are written as filters that read from STDIN (standard input) and write to STDOUT (standard output). My own mail filtering script, for example, does that. I didn't have to learn any mailer-specific API, and my script can be used in different contexts. (Actually my script doesn't write to STDOUT - it saves the message to the appropriate folder.)
Windows does not lend itself to the everything-is-a-filter idea because, among other things, process creation is slow and expensive. When a filter is invoked, a process is launched. Unix has more efficient process creation, and Linux has especially efficient and light process creation. Therefore on Windows a mail filter should be implemented as a reusable software component (probably a COM object) that can be called by the mail client.
Also, most mail clients on Unix use the same mail folder format (mbox) which is basically just the literal messages from the network written to a file. Since it is the assumed common language of mail folders, it encourages software to interoperate on the file level, which my script does by writing messages to mail folders. (Unix is file-centric.) Windows mail clients, in contrast, seem to store mail folders in proprietary formats. That's because Windows philosophy is that an application serves as gatekeeper to "its" files - the file is not a unit of interoperability. In our case it means a standalone mail filter probably couldn't write messages to the mail folder.
Unix is a more friendly, efficient development environment because you can write a mail filter as a standalone program and test it without building a test harness.
Welcome to the future (Score:3, Informative)
Welcome to the future: the mail client [apple.com] in Mac OS X 10.2 uses latent semantic analysis. (This isn't just marketingspeak--my mail folder includes "LSMMap"--LS as in "latent semantic".)
Re:spambayes.sf.net (Score:2, Informative)
Re:Bayes Explained (Score:2, Informative)
Re:Bayesian? Wow!!! I'm sooo excited. (Irony!) (Score:3, Informative)
Bullshit. Bayes' formula is exact, and makes no assumption on independence whatsoever. Naive Bayesian approaches make independence assumptions, hence the use of the term naive.
The only inherent drawback in using Bayes' rule in classifiers is that you have to assume the number of classes to be known a priori.
JPZ
Re:Missing the point? (Score:2, Informative)
Already patented by MicrosofT (Score:3, Informative)
patent 6,161,130 [uspto.gov]
Been posted before... (Score:2, Informative)
Popfile was announced here in late August, shortly after the Paul Graham article came out. It was originally closed source, which prompted the creation of multiple other projects. Among them is Spambayes [sourceforge.net] and even my own Pasp [sourceforge.net] (both in python, both open source).
As well, Popfile was announced open source at the end of September...on Slashdot. I know this because it was released under such a license as I was finishing up Pasp.
So yeah. As for how well Popfile categorizes mail into multiple categories, I have not run many tests with multiple category bayesian filtering, though the Spambayes group has, and has discovered that filtering mail based on multiple categories is far less accurate (many false categorizations). In the minimal tests I have done, I find this to be the case as well (we are used to less than 2% FP and FN rates, and with >2 bin categorization, error rates spike easily into the 10% range).
So yeah. Popfile has been announced here no less than 3 times now. I've not seen Spambayes announced at all (they deserve it), and Pasp has also not been announced, though I could care less about that.