RE: [Declude.JunkMail] Sniffer vs. SURBL

[Andy Schmidt]

Title: Message

Matt,   any "black-list" is subject to false positives. That's why we are all using Declude, so that we can combine the effect of different imperfect blacklists to assess a likelihood of something being Spam. It's entirely possible that you are relying exclusively on Sniffer and static filters - which is perfectly fine and then SURBL is not for you. Whatever works.   For those of us who DO use blacklists to verify sender IPs, checking for spamvertised URLs is an absolute must (and a feature sorely missed in Declude for too long). While it's easy for a spammer to set up a network of a thousand zombies that do the sending, his email will eventually link back to one (or a handful) of server URLs.  It will take MUCH longer for all those zombie IPs to be black-listed - but one or a handful URLs are identified much quicker!   I love Sniffer and it is the best thing since sliced bread - but, I still see a good amount of SPAM every day (even just in my own personal mailbox).  So I will always look for ways to catch what is slipping through.   Best Regards Andy Schmidt Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, January 09, 2005 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sniffer vs. SURBL Andy, I'm not sure how you are seeing the results that you are seeing.  Sniffer tags from 95% to 97.5% of spam on any given day on my system with a good portion of what gets through being either fresh spam sources, niche spam or backscatter.  Unless there was something wrong, it is impossible for invURIBL to be tagging 11% more than Sniffer, even if invURIBL tagged 100% of it. As someone else pointed out, I would be cautious of how to weight the combined SURBL zone as it clearly has false positives and it will exacerbate any issues that you might already be having with blocking legitimate commercial E-mail.  These resources are great for catching spam, but unfortunately there are many out there that will submit almost anything that is commercial and their choices end up applying to anyone that uses the zone. Another thing to consider is that Sniffer does already cross check with SURBL as a way of helping to verify the payload URL strings.  I have found and reported several false positives to Sniffer that were tagged in this manner, and SURBL appears to be much safer than invURIBL as a whole.  I consider the double hit with SURBL to be fairly safe because the zone is time limited and there is a delay in Sniffer adding new rulebases, so I rarely get double hits on false positives.  Things would be significantly different however with a longer lived zone. Matt Andy Schmidt wrote: Hi,   Today I finally took the time (I didn't have) and ran both Sniffer and SURBL Tests (using http://www.invariantsystems.com/invURIBL/).   Result:     1,860  tagged by invURIBL only -> gain over Sniffer = 21%   8,926  tagged by BOTH invURIBL AND Sniffer      962  tagged by Sniffer only -> gain over invURIBL = 11%   In other words:   If I ran ONLY Sniffer, I would have missed 21% of additional messages that were detected by checking against SURBL. If I tested SURBL only, I would have missed 11% of messages (that only Sniffer found) I have configured Declude, so that the two tests are complimentary (no extra weight BOTH tests vs. ONE test fails.)   My conclusion:   Both Sniffer and invURIBL are worth their money...     PS: here the "raw" numbers:   DLAnalyzer(4.0.5 - 12/21/2004) Report Generated At 1/9/2005 12:48:14 AM For Argos.net Breakdown Of Messages That Failed: INV-URIBL Messages That Matched: 10,786 TEST             # FAILED   Percentage IPNOTINMX..........10,372.......96.16% SNIFFER.............8,926.......82.76% NOLEGITCONTENT......8,673.......80.41% SPAMCOP.............4,983.......46.20% SORBS...............4,521.......41.92% XBL-DYNA............4,470.......41.44%   Breakdown Of Messages That Failed: SNIFFER Messages That Matched: 9,888 TEST             # FAILED   Percentage IPNOTINMX...........9,611.......97.20% INV-URIBL...........8,926.......90.27% NOLEGITCONTENT......8,788.......88.88% SPAMCOP.............5,208.......52.67% XBL-DYNA............4,672.......47.25% SORBS...............4,664.......47.17% Best Regards Andy Schmidt Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206   -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================