Re[4]: [sniffer] New Rulebot F001

2006-03-08 Thread Pete McNeil 
This was answered off list... (parallel comments below)

On Wednesday, March 8, 2006, 2:33:20 PM, Support wrote:


STI> I also have got a lot of false positives with code 063 which are HOLD now.
STI> Ik know it's not very nice to set email on HOLD when failing sniffer but
STI> I've got a major problem with spam and until a few days ago this was going
STI> well, at least a few false positives in a week. 


STI> 03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message
STI> failed SNIFFER: 63.). Action=HOLD.
STI> l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
STI> Match   672578  63  142 176 65
STI> l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
STI> Final   672578  63  0   281965


STI> Could this please stop, sniffer was pretty reliable for us, but not at the
STI> moment.

The above rule was not created by the F001 bot. So far only 24 of
50,000 rules created by F001 have caused false positive cases. Most of
those were caused by exposure to gmail proxy which has since been made
invisible to the bot. F001 FP rates are dropping significantly and
there are measures in place to see that this trend continues
aggressively.

We need to give F001 more time.

All F001 rules are coded in group 63 where other IP rules are coded so
you can reduce the weighting and response of your system to this group
if it is causing issues - and then, hopefully, increase the weight
again once you see an acceptable risk for FPs (it can never be zero in
any filtering system).

If needed, the entire group can be masked out of a specific rulebase,
but that is an aggressive move. It is far preferable and more flexible
to adjust weighting and/or responses to result code 63 locally.

Hope this helps,

_M

PS: I'm considering enhancements to the F001 bot that will reduce the
rate of growth by ensuring a higher repeat rate before installing a
rule. This has an up side and a down side. The up side is that rules
will be added more slowly and that they will immediately have a larger
effect. The down side is that the benefit of the rule will be lost for
a period of time to allow for the additional repeats, thus allowing
more leakage.



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[2]: [sniffer] New Rulebot F001

2006-03-08 Thread Support Traction IT 

I also have got a lot of false positives with code 063 which are HOLD now.
Ik know it's not very nice to set email on HOLD when failing sniffer but
I've got a major problem with spam and until a few days ago this was going
well, at least a few false positives in a week. 


03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message
failed SNIFFER: 63.). Action=HOLD.
l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
Match   672578  63  142 176 65
l6l0ow6m20060307191244  Ddb2402d03b56.smd   31  31
Final   672578  63  0   281965


Could this please stop, sniffer was pretty reliable for us, but not at the
moment.


Regards,

Marcel Sangers
Traction IT



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: dinsdag 7 maart 2006 0:18
To: Darin Cox
Subject: Re[2]: [sniffer] New Rulebot F001

On Monday, March 6, 2006, 3:42:50 PM, Darin wrote:

DC> We just reviewed this morning's logs and had a few false positives.  
DC> Not sure if these are due to the new rulebot, but it's more than 
DC> we've had for the entire day for the past month.

DC> Rules
DC> --
DC> 873261
DC> 866398
DC> 856734
DC> 284831
DC> 865663

Three of these are from F001 and have been removed.

865663 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.233.166.182
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.233.166.182

856734 - http://www.dnsstuff.com/tools/ip4r.ch?ip=64.249.82.200
 http://www.dnsstuff.com/tools/ptr.ch?ip=64.249.82.200

873261 - http://www.dnsstuff.com/tools/ip4r.ch?ip=207.217.120.227
 http://www.dnsstuff.com/tools/ptr.ch?ip=207.217.120.227


I haven't yet processed the fps, only looked up the rules.

There are currently 32820 rules authored by the F001 bot.

Hope this helps,

_M





This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html