You've basically got three questions:

* Of the spams that went through my engine what % of them were correctly identified?

* Of the innocents that went through my engine what % of them were correctly identified?

* Of ALL the messages that my engine processed what % where correctly classified (spam or innocent)?

That's it. That's all. Not that tough. Let's be honest…that's all an average Joe really wants to know.

Well…maybe that's not ALL an average Joe wants to know. He also wants to know you're being straight with him. Wanna know a dirty little secret….sshhh…be very quiet…..the term “catch-rate” only takes off accuracy points for spam misclassifications (i.e. false-negatives only). You want false-positives in that number? “Ha! We can't tell you that!” cackles the anti-spam vendor.

We call the three questions above Spam Classification Accuracy (SCA), Innocent Classification Accuracy (ICA) and Overall Classification Accuracy (OCA). Next time you're talking to an anti-spam vendor ask for them.^** Push hard. At least you'll be able to make a clean choice.

^**Just a heads up. Your friendly anti-spam vendor of choice will almost certainly stare at you like a wildebeest caught in the headlights if you ask for SCA, ICA and OCA by name. You'll probably have to tell them what you want in English…and speak reaaaalllyyy sloooow. They're not used to all the honesty.

Deep Dish:Way2tite – Situation 2wo:Global Underground 025: Toronto [UK] Disc 2[23:59]

It's really not that surprising. Traditionally e-mail has been the focus of tighter security, and its been easier to secure from a performance point of view. If you can deliver your mal-ware successfully using the web or IM, you're going to knock over a lot more systems. It's normally just too hard to protect those streams because users complain about performance hits. Its amazing how fast an HTTP AV scanner gets shutdown after the 34th user complaint along the lines of “What did y'all do?! It takes forever to download this really cute program from Gmail that my new Afghani friend sent me!”.

One of the interesting comments in the article confirms malware writers are looking to counter the “rapid-response” update architecture the AV industy has put together. It means signature update windows are going to continue to get smaller. An effective pre-scan of vulnerable systems means that a mal-ware writer can hit critical mass of infection that much more quickly. Whereas you might have had 12-24 hours to get an AV signature updated before, this could mean you've got 4 hours or less.

One thing Kaspersky doesn't talk about that we discuss a lot is the evolution of malware along biological lines. Ebola for example, is a very bad virus in terms of effectiveness. It kills the host really quickly, and limits the lifetime of the virus. Which is a primary reason Ebola never really became a global problem. You could say the same thing about Blaster or MyDoom. Everybody noticed them 'cause they knocked your system over hard. You couldn't work, and maybe even lost data as a result of the crashing. While they did infect A LOT of machines, the fact is they don't infect many machines anymore. They made a big splash and everybody raced to close the holes.

We expect to see new malware in the future that is very stealthy as a result of being tied to wanting to make money. A worm that doesn't kill your bandwidth or your system would be a silent parasite that you probably wouldn't notice. It could live a long time stealing data or whatever it was supposed to do. Or it could simply “soften” up the infected systems by disabling AV scanners. When money's the motivator its not as important to cause damage to computing infrastructure…unless of course that's the service you're selling.

John Mayer:Neon:Room for Squares[4:22]