Personalized Filtering of Polymorphic E-mail Spam

Which of emails are spams depends on the recipient's interest, so it is desirable to filter spams based on his/her interest. We store the fingerprints (FPs) of k portions of each spam's content in our filter and examine tire metrics for detecting the polymorphic spams devised with intent to thwart the detection. For a smaller memory size of the filter we exploit two Bloom filters (in fact, merged into a single one to reduce cache miss) to replace the least recently matched spams by recently matched ones. We use as the metrics the number N(t), (<= k) of FPs in the filter matching with those of an incoming email, but also of the N(t) FPs, the greatest number N(d) of FPs stored for a single spam. We plot spams and legitimate emails in the N(d)-N(t), space and detect spams by a piecewise linear function. The experiments with about 4,000 real world emails show that our filter achieves the false negative rate of about 0.36 with no false positive.