I could deal with 32 result codes for a single test :)
I'm hoping that Pete will weigh in on this. We had a discussion once
about how to weight multiple hits, and he was leaning towards an
internal probability based method, but this would give us far more
flexibility as administrators IMO.
Yesterday on my system Sniffer returned 118,909 results (clean and
failed), and of the 104,942 failed result codes, there were a total of
316,206 result codes meaning an average of just about 3 result codes
for each time a message failed Sniffer. I was careful not to double
count the final result with each result code.
Being able to get an average of 3 Sniffer hits per message would allow
me to reduce the weights slightly to protect from false positives, and
end up scoring spam with much higher weights as a result. This would
help my system immensely.
I could also use this for my own programming, but enhancing Sniffer in
this way would have broad implications across Declude's customer base.
Matt
Darin Cox wrote:
This is the same idea I mentioned a
year ago when we were all talking about combo tests in Declude....only
problem being if you use more unique tests than the numeric type
supported. Assuming the weight/bitmask number is a 4-byte unsigned
int, then we have a maximum of 32 tests.
Darin.
-----
Original Message -----
Sent: Friday, November 05, 2004 7:35 AM
Subject: Re: [Declude.JunkMail] ANN: SPAMC32
(SpamAssassin SPAMC for Declude) 0.5.57 released
If you don't mind me expanding on the bitmask idea....Sniffer users
would benefit from this greatly as many spams fail multiple Sniffer
tests. This would allow us to score each result code that it returned,
i.e.
SNIFFER-GENERAL bitmask 1
"C:\IMail\Declude\Sniffer\execode.exe mycode" 6 0
SNIFFER-EXPERIMENTAL bitmask 2
"C:\IMail\Declude\Sniffer\execode.exe mycode" 6 0
SNIFFER-OBFUSCATION bitmask 4
"C:\IMail\Declude\Sniffer\execode.exe mycode" 6 0
SNIFFER-IP bitmask 8
"C:\IMail\Declude\Sniffer\execode.exe mycode" 4 0
SNIFFER-CASINO bitmask 16
"C:\IMail\Declude\Snifferexecode.exe mycode" 8 0
...
So if a test such as Sniffer returned a result code of 26, that would
mean it hit SNIFFER-CASINO, SNIFFER-IP and SNIFFER-EXPERIMENTAL.
That would be huge :)
Matt
Matt wrote:
Yes,
I would be interested in this very much since it would greatly ease the
management, testing and reporting of such tests, and I have been
working on something myself that would be capable of returning both
positive and negative weights and I didn't want to be running it twice
to get the separation in log lines.
Something else that is a bit OT regarding external tests...I would be
very interested in finding a way to run an external test once and
return multiple result codes, that way if you for instance were testing
different things that both required substantial code and extra I/O, you
could make things much more efficient and also greatly simplify the
management of your code. I understand of course that you could create
a set of 4 result codes to represent the combination of two hits, but
it quickly becomes unwieldy as it grows exponentially. Is there a way
that you could return multiple result codes and have Declude fail
multiple tests without running the test multiple times? I'm thinking
that something like a bitmask returned and then interpreted by Declude
to match zero to many tests.
http://www.joestump.net/170933118/a-quick-bitmask-howto-for-programmers
Note that if this was available, I would probably prefer this over
weight+ and weight- for my own needs since I don't perceive being able
to do both :)
Thanks,
Matt
Markus Gufler wrote:
Yet another update to SPAMC32 that's useful when deployed as
a Declude 'weight' test type. See the release notes below
and download from the traditional /release folder.
As SpamChk is not anymore alone as external 'weight' test maybe also SPAMC32
users are interested in having 'weight+' and 'weight-'
So it would be possible to confgure two config lines one for a positive the
other for negative results.
For example
SPAMASSASSIN+ weight+ c:\imail\...
SPAMASSASSIN- weight- c:\imail\...
The benefits?
1.) It would become possible to use the results of weight tests for
combination filters.
Up to now it was not possible to assign extra points, for example if an
IP4R-test and SPAMCHK has failed.
As both tests are tecnicaly completely different the combination would be
highly accurate.
You can see this for example on http://www2.spamchk.com/public.html on the
already existing COMBO-... tests.
2.) Creating reports would be much easier and more clear if weight tests can
be separated like showed above.
I've suggested this some months ago to Scott. Maybe now with some additional
interested parties...
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|