RE: [Declude.JunkMail] Global configs (=> SORBS results)

[Andy Schmidt]

Title: Message

Hi,   Using a filter, I combine the different blacklists from various sources into distinct groups:   Proxies Open-Relay DUL/DUHL   Each group has a weight assigned.  This way, I can use the combined know-how of multiple sources whether an IP is a Proxy and/or an open-relay and/or a DUL/DUHL without worrying about multiple positives in ONE group pushing an email beyond the threshold.  As a result, more IPs are being detected and I can assign a higher weight to each group - without any one group "controlling" the outcome by itself. Best Regards Andy Schmidt Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, June 30, 2004 08:06 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Global configs (=> SORBS results) Markus, Their open relay tests, SORBS-HTTP, SORBS-SOCKS and SORBS-SMTP can all hit on the same message for the same exploit causing a triple hit and therefore it is best to combo these tests with a custom filter.  Throwing in SORBS-MISC into this mix might also be a good idea. The problem isn't that their data is any more unreliable than the others of this type, rather it is the way that they offer up this data, splitting it into 3 categories that have no practical purpose for a system that applies weights instead of ACL's. Matt Markus Gufler wrote: I have some other numbers. For example SORBS-HTTP   Yesterday it has had the correct result for 7% of the processed messages (776 of 11161 messages) But it has also had a positive (wrong) result for 17 legit messages. (so one of this messages was slightly above our hold treeshould => false positive)   But SORBS-HTTP catches nearly all spam messages that has already failed enough other tests to be hold. So it's not really usefull to have ~ 759 correct votes from SORBS-HTTP for spam messages if they have already reached a weight above 200 % of the hold weight.   On the other side it's problemtic if from the 17 legit messages catched by SORBS-HTTP 4 are near to or over the hold weight.   My conclusion: SORBS-HTTP results will have no effect on the detection rate, it increases only to posibility to have some false positives. (The results will not change if I look for the last 2 or 4 weeks, and not only yesterday) Also I can see nearly the same results for SORBS-SPAM (positive result in 8% / 23 wrong results for legit messages / 6 legit messages near the hold weight / all other messages above 200% of the hold weight)   Attached you can see a diagramm with the variation of the final weight for all yesterday messages failing SORBS-HTTP.   A similar diagnosis could be made for several other tests. It's only a little bit of work and I don't know if someone counts on such reports...   Markus     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt Sent: Monday, June 28, 2004 7:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Global configs Yesterday's summary:   SORBS...............5,061.......47.70% SORBS-BADCONF..........22........0.21% SORBS-DUHL..........3,273.......30.85% SORBS-HTTP..........1,119.......10.55% SORBS-MISC............476........4.49% SORBS-SMTP.............79........0.74% SORBS-SOCKS.........1,157.......10.91% SORBS-WEB..............94........0.89% SORBS-ZOMBIE............8........0.08%      Thanks!   I'll take that as a YES!   Sharyn    -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================