RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme

[Andy Schmidt]

Hi Dave,

 

I'm breaking this into two discussions as they are two different topics.

 

The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the
reputation scale of -1 through +1 should NOT just result in either ONE
positive or ONE negative weight option.  

 

Your example:

 

IPREPUTATIONSNFIPREP   x   0   10  -5

 

only result in either a "10" being added or  a "5" being subtracted. So you
are turning a continuous scale of -1 to +1 into two discrete values - losing
all the key benefits of having the reputation scale in the first place. 

 

You already have the SNFIP return codes, if someone wanted a "fix" value for
a particular "level" of reputation.

 

 

To really make use of the GBUdb, there should be a continuous weight from 0
to 10 for "bad" reputation and 0 through -5 for "good" reputation (using
your sample of 10 and -5).

 

Basically, for positive GBUdb values, multiply with the "10" (getting a
value from 0 to 10 depending on "how bad" the reputation is), for negative
values multiply with "-5" to get a weight from 0 to -5 (depending on "how
good" the IP is).

 

This would make the test really useful because it would only cause BIG
weight changes for BIG GBUdb values.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer "BasePoint"

[David Barker]

What you said.  Yes (4/30 = Friday, this is why we don't buy cars made on a
Friday)  so the results would be the same except for the 0 BASEPOINT which
means a not-triggered for -5

 

 I  will add the ability of using a negative weight for the BASEPOINT as
this gives customers more flexibility on with the use of this test. 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 4:28 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer "BasePoint"

 

Hi Dave,

 

Let's keep the BasePoint a separate discussion.

 

Here's what you sent on 4/30:

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

So - since "left" of zero (negative) are the good reputation and "right" of
zero (positive) are bad reputation, and you are subtracting the basepoint
(lowering a positive Sniffer Score) - so effectively you are moving the
center further to the RIGHT. A basepoint of "3" will have the effect that
-1.0 though +0.3 is "good reputation", +0.3 is "the null point" and +0.3 to
+1.0 is now "bad" reputation, right?

 

But your sample math doesn't match your formula:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

 Using math rules (assuming you are simply truncating any decimals, not
rounding), you SHOULD be getting:

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -3 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = -4 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 3 = -5 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -6 This is negative then the test is not-triggered for
-5 points.

 

In any case, if you ONLY allow a "positive" base point that is being
subtracted then you can only use the SNFIPREP test to reduce the number of
IPs that are considered "bad".  But, if you are trying to use SNFIPREP for
"whitelisting" and want to limit that number of IPs that are considered
"good" then you need to be able to add the basepoint - which moves the
center further to the LEFT.

 

So I think a negative basepoint would be useful (but not urgent in light of
the fact that you just send me earlier SNFIP return codes that allow testing
for "white").

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 1:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

Hi Pete,

 

Funny - our messages overlapped. But I'm glad I was on the right track with
my suspicions. Hopefully this will help Declude to refine things.

 

>> a better way to do it would be to scale the result so that from 0 to -1
the "negative" weight (let's pick a 

factor of 5) would rise linearly from 0 to -5 and similarly a positive going
reputation would scale linearly from 0 to +5 as the API result scaled from 0
to +1. <<

 

Right - that's the same scheme I just pointed out to Dave myself - except in
my case you could pick a distinct factor for the "-" vs. the "+" side of the
scale (because Declude already has that option anyhow)

 

(( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or
Neg]WeightFact

RE: [Declude.JunkMail] Sniffer "BasePoint"

[Andy Schmidt]

Hi Dave,

 

Let's keep the BasePoint a separate discussion.

 

Here's what you sent on 4/30:

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

So - since "left" of zero (negative) are the good reputation and "right" of
zero (positive) are bad reputation, and you are subtracting the basepoint
(lowering a positive Sniffer Score) - so effectively you are moving the
center further to the RIGHT. A basepoint of "3" will have the effect that
-1.0 though +0.3 is "good reputation", +0.3 is "the null point" and +0.3 to
+1.0 is now "bad" reputation, right?

 

But your sample math doesn't match your formula:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

 Using math rules (assuming you are simply truncating any decimals, not
rounding), you SHOULD be getting:

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -3 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = -4 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 3 = -5 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -6 This is negative then the test is not-triggered for
-5 points.

 

In any case, if you ONLY allow a "positive" base point that is being
subtracted then you can only use the SNFIPREP test to reduce the number of
IPs that are considered "bad".  But, if you are trying to use SNFIPREP for
"whitelisting" and want to limit that number of IPs that are considered
"good" then you need to be able to add the basepoint - which moves the
center further to the LEFT.

 

So I think a negative basepoint would be useful (but not urgent in light of
the fact that you just send me earlier SNFIP return codes that allow testing
for "white").

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 1:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

Hi Pete,

 

Funny - our messages overlapped. But I'm glad I was on the right track with
my suspicions. Hopefully this will help Declude to refine things.

 

>> a better way to do it would be to scale the result so that from 0 to -1
the "negative" weight (let's pick a 

factor of 5) would rise linearly from 0 to -5 and similarly a positive going
reputation would scale linearly from 0 to +5 as the API result scaled from 0
to +1. <<

 

Right - that's the same scheme I just pointed out to Dave myself - except in
my case you could pick a distinct factor for the "-" vs. the "+" side of the
scale (because Declude already has that option anyhow)

 

(( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or
Neg]WeightFactor = Final Weight

 

For this line in the Declude config:

 

IPREPUTATION SNFIPREP x 0 2 -1

 

it would results in weights between +20 and -10, e.g.:

 

Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2   =   0

 

Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2   =6

Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2   =  20

  

Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 =   -3

Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10

 

 

Here's an important question, though:

 

Do you have

RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

[David Barker]

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 1:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

Hi Pete,

 

Funny - our messages overlapped. But I'm glad I was on the right track with
my suspicions. Hopefully this will help Declude to refine things.

 

>> a better way to do it would be to scale the result so that from 0 to -1
the "negative" weight (let's pick a 

factor of 5) would rise linearly from 0 to -5 and similarly a positive going
reputation would scale linearly from 0 to +5 as the API result scaled from 0
to +1. <<

 

Right - that's the same scheme I just pointed out to Dave myself - except in
my case you could pick a distinct factor for the "-" vs. the "+" side of the
scale (because Declude already has that option anyhow)

 

(( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or
Neg]WeightFactor = Final Weight

 

For this line in the Declude config:

 

IPREPUTATION SNFIPREP x 0 2 -1

 

it would results in weights between +20 and -10, e.g.:

 

Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2   =   0

 

Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2   =6

Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2   =  20

  

Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 =   -3

Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10

 

 

Here's an important question, though:

 

Do you have a distribution chart for the reputation scale? It of course
makes a HUGE different, whether the distribution of reputations reported for
the inflow of email is evenly distributed between -1.0 and 0.1, or whether
it is a bell curve where 80% are in the "center" area, or whether it's some
sort of exponential curve that has very few with "good" reputation, a modest
amount around the 0 point, and then expentionally increasing towards the bad
and turn reputations?

 

This way one could decide what factors to use for the + and - sides and
where to set the "mid" point (Declude allows you to shift the mid-point left
and right.

 

>> I'm guessing on how that test is implemented, but if I've guessed
correctly then -0.8 would certainly be a good WHITE set point.<<

 

Thank you - that means in their "default" (sample) config file, they really
should adjust the midpoint away from "0" to "-8" (they multiply the
reputation scale by 10 to be able to work with integers) 

 

IPREPUTATION  SNFIPREP  x  0  2   -1

 

probably to

 

IPREPUTATION   SNFIPREP   x -8  2 -1

 

but I'd have to check with Dave to see if "-8" will indeed set the midpoint
to -0.8 or if the sign has to be reversed.

 

Thanks for taking the time to help all of us understand Sniffer in the
context of the Declude integration.

 

I'm very happy that Declude took the time and integrated the product. I just
would like to make sure it comes with an implementation sample that is a
good enough compromise for "day-to-day" use.

 

Best Regards,

Andy

 

 

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

On 4/30/2010 9:32 PM, Andy Schmidt wrote:

 

 



 

> But your documentation of the reputation system has a graph that shows
that

> there is yet another category: "WHITE".

>

 

I don't know the details of Declude's impelementation. Presumably they 

could (or maybe even do) implement WHITE.

 

> The SNFIPREP tests does offer the ability to define at what decimal value

> (between -1 and +1, in .1 increments) a weight can be subtracted. But the

> question is - is that SENSIBLE use of your reputation database? Per
example,

> could -0.8 be a sensible threshold to give an email "credit" for coming
from

> a reputable IP source?

>

 

I'm guessing on how that test is implemented, but if I've guessed 

correctly then -0.8 would certainly be a good WHITE set point.

 

My guess is based on using a combined score value from the IP reputation 

that combines the confidence figure and the probability figure. In that 

case only a strongly negative p coupled w

RE: [Declude.JunkMail] SNFIP option for "WHITE"?

[Andy Schmidt]

Excellent - THANKS!

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 2:44 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] SNFIP option for "WHITE"?

The exit codes are as follows:

Unknown = 0
White = 1
Normal = 2
New = 3
Caution = 4
Black = 5
Truncate = 6

The format in Declude would be.

TESTNAMETESTTYPEX   EXITCODEWEIGHT-TRIGGERED
WEIGHT-NOTTRIGGED  

SNFIPWHITE  SNFIP   X  1  -50


David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 2:19 PM
To: declude.junkmail@declude.com
Subject: FW: [Declude.JunkMail] SNFIP option for "WHITE"?

Dave,

Pete confirmed that in addition to the "Caution", "Black" and "Truncate"
categories, there is a "WHITE" category (which was also mentioned in the
Sniffer documentation).

So, I seems as if besides the existing three "SNFIP" options:

  SNFIPCAUTION   SNFIP x 4  5 0
  SNFIPBLACK SNFIP x 5 10 0
  SNFIPTRUNCATE  SNFIP x 6 10 0

there should/could be a:

  SNFIPWHITE SNFIP x ??? -5 0

Best Regards,
Andy

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

> But your documentation of the reputation system has a graph that shows
that
> there is yet another category: "WHITE".
   

I don't know the details of Declude's impelementation. Presumably they 
could (or maybe even do) implement WHITE.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SNFIP option for "WHITE"?

[David Barker]

The exit codes are as follows:

Unknown = 0
White = 1
Normal = 2
New = 3
Caution = 4
Black = 5
Truncate = 6

The format in Declude would be.

TESTNAMETESTTYPEX   EXITCODEWEIGHT-TRIGGERED
WEIGHT-NOTTRIGGED  

SNFIPWHITE  SNFIP   X  1  -50


David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 2:19 PM
To: declude.junkmail@declude.com
Subject: FW: [Declude.JunkMail] SNFIP option for "WHITE"?

Dave,

Pete confirmed that in addition to the "Caution", "Black" and "Truncate"
categories, there is a "WHITE" category (which was also mentioned in the
Sniffer documentation).

So, I seems as if besides the existing three "SNFIP" options:

  SNFIPCAUTION   SNFIP x 4  5 0
  SNFIPBLACK SNFIP x 5 10 0
  SNFIPTRUNCATE  SNFIP x 6 10 0

there should/could be a:

  SNFIPWHITE SNFIP x ??? -5 0

Best Regards,
Andy

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

> But your documentation of the reputation system has a graph that shows
that
> there is yet another category: "WHITE".
   

I don't know the details of Declude's impelementation. Presumably they 
could (or maybe even do) implement WHITE.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

Thanks - I don't want to upset your development schedule (naturally, I can
cope with things as they are) - just wanted to make sure it's on someone
else list .

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 1:19 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

I will check with engineering. If this is an easy change I will get it in an
interim soon, also with the "nonzero" for SNF as we discussed in an earlier
thread. 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 1:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

Hi Dave,

 

I agree with you that the total weight of 9 is correct (I had already
"piecemealed" that arithmetic together in my msg). 

 

>> As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be <<

 

Good - because, if your programmer was able to add "ZeroHour" to the "Tests
Failed" line, and also to the "SMTP Headers" variable, in the various
sections of the program flow - then I'd say it was merely an oversight that
it was omitted from the ONE log line that "should be the complete list of
tests used in calculating the score", as you already confirmed.

 

>> I believe this is the list of  "non-zero" tests you are looking for with
the exception of Commtouch ZEROHOUR. <<

 

Right - so all we need is to get the missing ZEROHOUR included, so that it
truly IS a list of non-zero tests.

 

Thanks for checking into this.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Hi Dave (just in case this one got lost),

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?

Since there is overlap between:

SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the
GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) -
and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking
with the SNF rules (which already has exit codes 20 and 63) would further
reduce the Sniffer overhead by 2/3?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[David Barker]

I will check with engineering. If this is an easy change I will get it in an
interim soon, also with the "nonzero" for SNF as we discussed in an earlier
thread. 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 1:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

Hi Dave,

 

I agree with you that the total weight of 9 is correct (I had already
"piecemealed" that arithmetic together in my msg). 

 

>> As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be <<

 

Good - because, if your programmer was able to add "ZeroHour" to the "Tests
Failed" line, and also to the "SMTP Headers" variable, in the various
sections of the program flow - then I'd say it was merely an oversight that
it was omitted from the ONE log line that "should be the complete list of
tests used in calculating the score", as you already confirmed.

 

>> I believe this is the list of  "non-zero" tests you are looking for with
the exception of Commtouch ZEROHOUR. <<

 

Right - so all we need is to get the missing ZEROHOUR included, so that it
truly IS a list of non-zero tests.

 

Thanks for checking into this.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

I agree with you that the total weight of 9 is correct (I had already
"piecemealed" that arithmetic together in my msg). 

 

>> As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be <<

 

Good - because, if your programmer was able to add "ZeroHour" to the "Tests
Failed" line, and also to the "SMTP Headers" variable, in the various
sections of the program flow - then I'd say it was merely an oversight that
it was omitted from the ONE log line that "should be the complete list of
tests used in calculating the score", as you already confirmed.

 

>> I believe this is the list of  "non-zero" tests you are looking for with
the exception of Commtouch ZEROHOUR. <<

 

Right - so all we need is to get the missing ZEROHOUR included, so that it
truly IS a list of non-zero tests.

 

Thanks for checking into this.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL tests

[Scott Fisher]

   





   




-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Jim
Comerford
Sent: Thursday, April 29, 2010 7:45 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests


>>I also use fresh15.spameatingmonkey.net and urired.spameatingmonkey.net in
my invuribl config

Do you happen to know the config lines you need for invuribl to use
these...?



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[David Barker]

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 11:43 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

Hi Dave,

 

I do have SOME tests suppressed from the SMTP headers:

 

HIDETESTS   CATCHALLMAILS IPNOTINMX NOLEGITCONTENT WEIGHTKILL2
WEIGHT8 WEIGHT10 WEIGHTHDR WEIGHTFOOTER NJABL AHBL SORBS SENDERDB
WEIGHTGATEWAY

 

So the SMTP header looks correct - and the weight of 9 is accurate:

 

X-Declude-RefID: str=0001.0A020203.4BDEB008.02BD,ss=3,sh,fgs=0

X-Declude: Version 4.10.48; Code 0xe from www.mailglobal.net [64.27.0.60]

X-Declude: Triggered [9] SPFPASS, SNIFFER-GENERAL, ZEROHOUR [6] 

X-IMail-ThreadID: 4d2f8f571d69

 

However, in the log file, there is not ONE line that actually adds up to the
total weight of 9 (in this case: [Content] 7 + [ZeroHour] 6 = 13; minus
[IpNotInmx] 2 minus [SPFpass] 2 = [total] 9

 

One log line misses the "ZeroHour" test, the other misses the IpNotInMx.  I
think ONE of these two lines should be implemented in a way so that it lists
everything that is "non-zero" so that a user can easily see HOW the total
weight was derived - otherwise, what's the point of logging any tests.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=19
(9) and at least 1 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=14
(9) and at least 4 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=12
(9) and at least 6 recipients (1).

q4d2f8f571d69.smd Did not find [ smartcouponsa...@tillcrashing.com ] in
[ andy_schm...@hm-software.com ] address book

q4d2f8f571d69.smd Finish Address Book WhiteList

q4d2f8f571d69.smd Tests failed [weight=9]: NOLEGITCONTENT=IGNORE[0]
SPFPASS=IGNORE[-2] SNIFFER-GENERAL=IGNORE[0] CONTENT=IGNORE[7]
WEIGHT8=SUBJECT[8] ZEROHOUR=WEIGHT[6] 

q4d2f8f571d69.smd L1 Message OK

q4d2f8f571d69.smd Subject: May 2010 local coupon deals.

q4d2f8f571d69.smd From: smartcouponsa...@tillcrashing.com To:
andy_schm...@hm-software.com  IP: 64.27.0.60 ID: 

q4d2f8f571d69.smd Action(s) taken for [andy_schm...@hm-software.com] =
IGNORE SUBJECT  [LAST ACTION=SUBJECT]

q4d2f8f571d69.smd Cumulative action(s) on this email = IGNORE SUBJECT
[LAST ACTION=SUBJECT]

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

I do have SOME tests suppressed from the SMTP headers:

 

HIDETESTS   CATCHALLMAILS IPNOTINMX NOLEGITCONTENT WEIGHTKILL2
WEIGHT8 WEIGHT10 WEIGHTHDR WEIGHTFOOTER NJABL AHBL SORBS SENDERDB
WEIGHTGATEWAY

 

So the SMTP header looks correct - and the weight of 9 is accurate:

 

X-Declude-RefID: str=0001.0A020203.4BDEB008.02BD,ss=3,sh,fgs=0

X-Declude: Version 4.10.48; Code 0xe from www.mailglobal.net [64.27.0.60]

X-Declude: Triggered [9] SPFPASS, SNIFFER-GENERAL, ZEROHOUR [6] 

X-IMail-ThreadID: 4d2f8f571d69

 

However, in the log file, there is not ONE line that actually adds up to the
total weight of 9 (in this case: [Content] 7 + [ZeroHour] 6 = 13; minus
[IpNotInmx] 2 minus [SPFpass] 2 = [total] 9

 

One log line misses the "ZeroHour" test, the other misses the IpNotInMx.  I
think ONE of these two lines should be implemented in a way so that it lists
everything that is "non-zero" so that a user can easily see HOW the total
weight was derived - otherwise, what's the point of logging any tests.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=19
(9) and at least 1 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=14
(9) and at least 4 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=12
(9) and at least 6 recipients (1).

q4d2f8f571d69.smd Did not find [ smartcouponsa...@tillcrashing.com ] in
[ andy_schm...@hm-software.com ] address book

q4d2f8f571d69.smd Finish Address Book WhiteList

q4d2f8f571d69.smd Tests failed [weight=9]: NOLEGITCONTENT=IGNORE[0]
SPFPASS=IGNORE[-2] SNIFFER-GENERAL=IGNORE[0] CONTENT=IGNORE[7]
WEIGHT8=SUBJECT[8] ZEROHOUR=WEIGHT[6] 

q4d2f8f571d69.smd L1 Message OK

q4d2f8f571d69.smd Subject: May 2010 local coupon deals.

q4d2f8f571d69.smd From: smartcouponsa...@tillcrashing.com To:
andy_schm...@hm-software.com  IP: 64.27.0.60 ID: 

q4d2f8f571d69.smd Action(s) taken for [andy_schm...@hm-software.com] =
IGNORE SUBJECT  [LAST ACTION=SUBJECT]

q4d2f8f571d69.smd Cumulative action(s) on this email = IGNORE SUBJECT
[LAST ACTION=SUBJECT]

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.