[sniffer] Re: Experimental Abstract
Hello Frederick, Tuesday, October 10, 2006, 8:14:15 AM, you wrote: > Where can I find a list of the latest result codes. http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.ResultCodes _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Experimental Abstract
Where can I find a list of the latest result codes. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Monday, October 09, 2006 7:56 PM Subject: [sniffer] Re: Experimental Abstract I concur Pete in that I have been thinking about upping the weight for the EXP tests. I recently changed ABST from 20 to 25. I attach at 25, hold at 30 and delete at 35. SNIFFER-TRAVEL 47 20 SNIFFER-INSURANCE 48 20 SNIFFER-AV-PUSH 49 20 SNIFFER-WAREZ 50 30 SNIFFER-SPAMWARE 51 40 SNIFFER-SNAKEOIL 52 40 SNIFFER-SCAMS 53 40 SNIFFER-PORN 54 40 SNIFFER-MALWARE 55 25 SNIFFER-INKPRINTING 56 20 SNIFFER-SCHEMES 57 30 SNIFFER-CREDIT 58 30 SNIFFER-GAMBLING 59 30 SNIFFER-GENERAL 60 25 SNIFFER-EXP-ABST 61 25 SNIFFER-OBFUSCATION 62 25 SNIFFER-EXP-IP 63 20 John T eServices For You "Seek, and ye shall find!" -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 09, 2006 3:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Experimental Abstract Hello Alberto, In earlier times we had a philosophy that no single test should trap a message. The idea was that my combining tests the accuracy of the filter system would always (qualified) be improved. The blackhats have become extremely aggressive about burning IPs and generating image spam and/or other abstracted, short lived, and narrowly targeted campaigns. As a result of these changes, it is often the case that our abstract rules are the only thing that will fire on a message. The bad news is that holding on any single test will probably lead to more false positives. The good news is that SNF:Experimental/Abstract has a very low false positive rate. It may be time to alter our philosophy w/ regard to the experimental/abstract rules group and recommend that wherever practical, messages should probably be held (not deleted) based on a hit in this rule group. Hope this helps, _M Monday, October 9, 2006, 5:59:44 PM, you wrote: > Hello > I'm getting storms of spam and Sniffer sets them as (Experimental > Abstract) > Can someone explain how have I to treat them? > Many thanks in advance > Alberto > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Experimental Abstract
> The good news is that SNF:Experimental/Abstract has a very > low false positive rate. > > It may be time to alter our philosophy w/ regard to the > experimental/abstract rules group and recommend that wherever > practical, messages should probably be held (not deleted) > based on a hit in this rule group. Already done around two weeks ago. The EXP/ABS-Test seems to be reliable and - still in combination with other tests - very usefull to help block or subject-mark the messages. Markus # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Experimental Abstract
I was setting a lower weight on the experimental/abstract result codes due to inconsistent results in the past. However, after a review of customer spam that was still getting through, I increased the weighting on those codes to equal our hold weight. Customer is much happier now. -Jay -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, October 09, 2006 6:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Experimental Abstract Hello Alberto, In earlier times we had a philosophy that no single test should trap a message. The idea was that my combining tests the accuracy of the filter system would always (qualified) be improved. The blackhats have become extremely aggressive about burning IPs and generating image spam and/or other abstracted, short lived, and narrowly targeted campaigns. As a result of these changes, it is often the case that our abstract rules are the only thing that will fire on a message. The bad news is that holding on any single test will probably lead to more false positives. The good news is that SNF:Experimental/Abstract has a very low false positive rate. It may be time to alter our philosophy w/ regard to the experimental/abstract rules group and recommend that wherever practical, messages should probably be held (not deleted) based on a hit in this rule group. Hope this helps, _M Monday, October 9, 2006, 5:59:44 PM, you wrote: > Hello > I'm getting storms of spam and Sniffer sets them as (Experimental > Abstract) > Can someone explain how have I to treat them? > Many thanks in advance > Alberto > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Experimental Abstract
I concur Pete in that I have been thinking about upping the weight for the EXP tests. I recently changed ABST from 20 to 25. I attach at 25, hold at 30 and delete at 35. SNIFFER-TRAVEL 47 20 SNIFFER-INSURANCE 48 20 SNIFFER-AV-PUSH 49 20 SNIFFER-WAREZ 50 30 SNIFFER-SPAMWARE51 40 SNIFFER-SNAKEOIL52 40 SNIFFER-SCAMS 53 40 SNIFFER-PORN54 40 SNIFFER-MALWARE 55 25 SNIFFER-INKPRINTING 56 20 SNIFFER-SCHEMES 57 30 SNIFFER-CREDIT 58 30 SNIFFER-GAMBLING59 30 SNIFFER-GENERAL 60 25 SNIFFER-EXP-ABST61 25 SNIFFER-OBFUSCATION 62 25 SNIFFER-EXP-IP 63 20 John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of > Pete McNeil > Sent: Monday, October 09, 2006 3:15 PM > To: Message Sniffer Community > Subject: [sniffer] Re: Experimental Abstract > > Hello Alberto, > > In earlier times we had a philosophy that no single test should trap a > message. The idea was that my combining tests the accuracy of the > filter system would always (qualified) be improved. > > The blackhats have become extremely aggressive about burning IPs and > generating image spam and/or other abstracted, short lived, and > narrowly targeted campaigns. > > As a result of these changes, it is often the case that our abstract > rules are the only thing that will fire on a message. > > The bad news is that holding on any single test will probably lead to > more false positives. > > The good news is that SNF:Experimental/Abstract has a very low false > positive rate. > > It may be time to alter our philosophy w/ regard to the > experimental/abstract rules group and recommend that wherever > practical, messages should probably be held (not deleted) based on a > hit in this rule group. > > Hope this helps, > > _M > > Monday, October 9, 2006, 5:59:44 PM, you wrote: > > > Hello > > > I'm getting storms of spam and Sniffer sets them as (Experimental > > Abstract) > > Can someone explain how have I to treat them? > > > Many thanks in advance > > Alberto > > > > > > # > > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > > Send administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Experimental Abstract
Hello Alberto, In earlier times we had a philosophy that no single test should trap a message. The idea was that my combining tests the accuracy of the filter system would always (qualified) be improved. The blackhats have become extremely aggressive about burning IPs and generating image spam and/or other abstracted, short lived, and narrowly targeted campaigns. As a result of these changes, it is often the case that our abstract rules are the only thing that will fire on a message. The bad news is that holding on any single test will probably lead to more false positives. The good news is that SNF:Experimental/Abstract has a very low false positive rate. It may be time to alter our philosophy w/ regard to the experimental/abstract rules group and recommend that wherever practical, messages should probably be held (not deleted) based on a hit in this rule group. Hope this helps, _M Monday, October 9, 2006, 5:59:44 PM, you wrote: > Hello > I'm getting storms of spam and Sniffer sets them as (Experimental > Abstract) > Can someone explain how have I to treat them? > Many thanks in advance > Alberto > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
