Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
I certainly wouldn't change my Sniffer weighting based on a 419 scam. The 419/Lotteries tend to be some of the more difficult spams to catch. Many of them come from legitate mail servers so they won't be on any blacklists and they won't score on technical tests. In your case I'd bet the -5 came from a combination of IPNOTINMX and NOLEGITCONTENT which will tend to trigger on 419 emails. - Original Message - From: "Joey Proulx" <[EMAIL PROTECTED]> To: Sent: Thursday, April 14, 2005 7:50 AM Subject: [Declude.JunkMail] Deleting emails based solely on Sniffer? Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
On Thursday, April 14, 2005, 8:50:12 AM, Joey wrote: JP> Can someone please explain to me why, if an email is flagged as spam by JP> Sniffer, I shouldn't just delete it outright? Are there instances where JP> Sniffer is wrong? Or is this the way you all use it already? JP> Reason I ask is that I have Sniffer setup with a weight of 10...and I hold JP> messages with a weight of 10-14. This morning I got a Nigerian-type scam JP> that sniffer flagged, but it only scored a total weight of 5. I'll have to JP> check through my global.cfg when I get back from my 9am meeting, but JP> something added a weight of -5 somewhere, meaning the email got JP> through. If I had deleted all Sniffer-found spam outright, this would not JP> have happened. JP> Thoughts? ... Just adding to the thread... First, I agree with Nick & Don ... As much as we try to make SNF perfect, the definition of it's design, and the fact of any spam test dictate that there will be some error rate. For example, our false positive handling process is based on our best guess about the consensus of all of our customers "Do most of the people we serve agree with this rule? Is that agreement worth the risk of a false positive?" These questions are answered primarily by statistics... The point is that there is a gray area where some folks will always find a false positive (and we generally will adjust their rulebase accordingly). That somebody could be you :-) So it is safest NOT to delete on SNF, or for that matter any single test - even if that will lead to some spam getting through. This is one of the key benefits of Declude is it's weighting system. That said, the best practice (as I observe it) is to always hold on SNF and to delete on a specific weight that is high enough to include at least two other tests. Using this strategy, any FP generated by SNF will still be around to be noticed if it is discovered - either by review or by a customer asking why some message appears to be missing. The message can then be recovered, a false positive report made, and appropriate adjustments implemented. In your scenario you might want to set the weight of SNF higher so that the -5 might still keep the message in your hold range. This might force you to adjust your upper limit on the hold weight, but it's a decent compromise I think. In the end only you can know for sure what is the best strategy for your system. All of this is a balance of resources and risks. There are many happy systems out there that do regularly delete messages on a single test - for example IMGate which has been debated widely. While I would not recommend deleting a message solely on SNF as a general practice, clearly there is room for this strategy on some systems. Hope this helps, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
Joey Proulx writes: Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? A couple of things Sniffer is very effective but not perfect close. There are false positives. The common rule is that no message should not be delivered because of one test. Now on my system Sniffer is right under the hold weight which means a second test is required to push it over. Darrell -- Try invURIBL - an advanced URI filtering test that will block more than 85% of all SPAM with the default configuration? Try it for free http://www.invariantsystems.com/invuribl/default.htm --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
- Original Message - From: "Joey Proulx" <[EMAIL PROTECTED]> Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? I wouldn't recommend doing that, since I typically submit a few false-positives each week to the Sniffer false@ address. The better thing to do, as you said, is determine what test(s) is/are reducing the weight and adjust it. Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
On 14 Apr 2005 at 8:50, Joey Proulx wrote: Hi Joey, > Can someone please explain to me why, if an email is flagged as spam > by Sniffer, I shouldn't just delete it outright? Are there instances > where Sniffer is wrong? Or is this the way you all use it already? Well from my perspective the beauty of Declude is you can use multiple tests to fasil an email - as I'm sure you are aware. No doubt an email that fails sniffer needs to be punished however to delete on that one test may cause some good email to be deleted.. For example I do get false positives on newsletters and some lists I belong to. So I generally wack an email 70% [varies depending of return code] of my hold weight and look for other failures to push it over the threshold My .02 ... :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Deleting emails based solely on Sniffer?
If you delete, you should delete based on achieving a minimum weight accumulated. Sniffer on occasion may detect something as a false positive. For example, it may misinterpret a legitimate e-mail as Spam with an attachment based on conversion of the attachment to characters and a series triggering something in Sniffer rules. I have seen this on occasion. In our scenario, we hold on a certain weight range for review, and higher weight range we auto-delete. We also will hold if failing Sniffer alone and no other tests. HTH's -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joey Proulx Sent: Thursday, April 14, 2005 8:50 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Deleting emails based solely on Sniffer? Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- CompBiz.Net scanned for Virus' --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Deleting emails based solely on Sniffer?
Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.