Hello, John, In my opinion there's definite value in the HOLD action. I'll tell you how I have things setup and perhaps you can see it as well.
When I first setup Declude JunkMail I analyzed incoming e-mail on our primary domain NEXUSTECHGROUP.COM for a couple of days to come up with what I considered a good HOLD weight for the types of spam that we receive. The HOLD weight that I decided on was 8. I have $default$.junkmail configured so that any e-mail with a weight of 8 or above has the HOLD action taken on it. What HOLD does is drop all of those e-mails which are held into an actual directory called \imail\spool\hold. I tried to make the HOLD weight be high enough so that as little legit e-mail as possible was being caught yet the bulk of the spam that we were receiving was being caught. 8 just happened to be a good number for this domain but there's no reason that would be the best for another domain. Then I started using a program called SpamReview (which has a link on the DJM website). SpamReview allows you to quickly scan the messages in the HOLD directory and see if any of them are legit e-mail, e.g. False Positives. If I come across a False Positive I take a look at the e-mail and see if there's any adjustments I can make to some of my custom filters to allow that type of e-mail to pass through without being held the next time. Over time these exceptions added up so that any legit e-mail which had been caught was being passed through and I was coming across less and less False Positives. Now, as you, I also realized after awhile that I was having to scan through a heck of a lot of e-mail just to get to a couple of False Positives. I also noticed that a lot of the e-mail that I was scanning was easily identified by DJM as Spam and typically these easily identifiable messages had been assigned a very high weight because they had failed so many tests. At that point I decided to implement a DELETE weight in addition to a HOLD weight. A DELETE weight is just a level at which I can be 100% (or as close to it as possible) sure that e-mail with that weight or higher is spam. I started with a DELETE weight of 60. A DELETE weight of 60 made it so I only had to look at 1000 message a day with SpamReview. I then lowered it by 5 points. Just lowering it by 5 points meant I only had to look at 750 messages a day. And I kept lowering it until I came to a level where I didn't feel like I was going to unintentionally delete e-mail and yet the amount of e-mail I had to look at on a given day was minimal. Right now when things are going well I have to look at around 100 messages a day for false positives. I usually do this in the morning and it takes me about 10 minutes each day. This is with a HOLD weight of 40. Again 40 is a good DELETE weight for me. You might need something different. Now as spammers have adapted I noticed the amount of messages that I was reviewing started to creep up. This meant spammers were taking steps to make their e-mail to look more like legit e-mail hence lowering the score. At that point I started to add more teeth to my tests and where before I was taking steps to pass through former False Positives without being caught additionally I was now taking steps to push e-mail that I was forced to review above my DELETE weight. My morning maintence routine for spam tweaking is something like... 1) Scan SpamReview for False Positives - Make adjustments in DJM tests to lower number of False Positives. 2) Look at End-User Spam Reports (Messages forwarded to me by end users as spam they would preferred to have blocked) - Make adjustments in DJM tests to make sure that SPAM doesn't get through anymore. 3) Use SpamReview to look at mail that was legitimately identified as SPAM. - Make adjustments in DJM to push that above DELETE weight so I don't have to look at it next time. I think currently I spend about 20 minutes a day on this. But after a couple of weeks I'll spend less time on it. And typically there will be a surge in the methods of the spammers which will cause my time spent to rise again. And then I will adjust accordingly and time spent will go down and level out again and then rise. It's sort of cyclical in nature. Eventually I'm hoping to have my system (and I assume DJM will have the tests) so that the peaks and valleys in the cycle start to look more like rolling plains and less like jagged mountains, meaning I know what to expect on any given day, but for the time being their is definitely a war being waged out there between the spam senders and the spam filterers and that's basically the mentality you need to keep at it. Someday the anti-spam panacea might exist but for now I think DJM is as close as you can get given the current nature of E-mail transport. Just my 2 cents, Dan ----- Original Message ----- From: "John Purnell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 16, 2003 9:43 PM Subject: [Declude.JunkMail] Hold action > I'm not seeing the value in the hold action... does this mean that an > administrator type has to search the server's hold directory periodically > and scroll through messages looking for false positives? Then I assume you > would want to manually move them back into the recipient's inbox? Seems > like an unending thankless task which noone really has time for, in > addition to filling up the HDD with spam. > > Am I right in understanding that the hold action simply puts the email in a > separate directory? Or am I missing something? > > so far I've seen no false positives on weight10, so I'm just about ready to > start deleting. I see many of you with much higher weights for > hold/delete. Maybe because you "provide" email to clients and you need to > let them make their own decisions? (I'm a small company and can afford to > make those command decisions for my users.) > > Thanks. > John. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > ----------------------------------------------------------------------- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
