This was answered off list... (parallel comments below)
On Wednesday, March 8, 2006, 2:33:20 PM, Support wrote:
STI> I also have got a lot of false positives with code 063 which are HOLD now.
STI> Ik know it's not very nice to set email on HOLD when failing sniffer but
STI> I've got a major problem with spam and until a few days ago this was going
STI> well, at least a few false positives in a week.
STI> 03/07/2006 20:12:44.628 qdb2402d03b56.smd Msg failed SNIFFER (Message
STI> failed SNIFFER: 63.). Action=HOLD.
STI> l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31
STI> Match 672578 63 142 176 65
STI> l6l0ow6m20060307191244 Ddb2402d03b56.smd 31 31
STI> Final 672578 63 0 281965
STI> Could this please stop, sniffer was pretty reliable for us, but not at the
STI> moment.
The above rule was not created by the F001 bot. So far only 24 of
50,000 rules created by F001 have caused false positive cases. Most of
those were caused by exposure to gmail proxy which has since been made
invisible to the bot. F001 FP rates are dropping significantly and
there are measures in place to see that this trend continues
aggressively.
We need to give F001 more time.
All F001 rules are coded in group 63 where other IP rules are coded so
you can reduce the weighting and response of your system to this group
if it is causing issues - and then, hopefully, increase the weight
again once you see an acceptable risk for FPs (it can never be zero in
any filtering system).
If needed, the entire group can be masked out of a specific rulebase,
but that is an aggressive move. It is far preferable and more flexible
to adjust weighting and/or responses to result code 63 locally.
Hope this helps,
_M
PS: I'm considering enhancements to the F001 bot that will reduce the
rate of growth by ensuring a higher repeat rate before installing a
rule. This has an up side and a down side. The up side is that rules
will be added more slowly and that they will immediately have a larger
effect. The down side is that the benefit of the rule will be lost for
a period of time to allow for the additional repeats, thus allowing
more leakage.
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html