RE: Re[2]: [sniffer] Rule Strengths

[John Tolmachoff (Lists)]

I am still seeing a large amount of this new type of spam getting through.

John Tolmachoff
Engineer/Consultant/Owner
[EMAIL PROTECTED]
626-737-6003
Fax 626-737-6004



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Saturday, July 31, 2004 1:48 PM
> To: John Tolmachoff (Lists)
> Subject: Re[2]: [sniffer] Rule Strengths
> 
> On Saturday, July 31, 2004, 3:32:46 PM, John wrote:
> 
> JTL> (Moved to list)
> 
> JTL> Thanks, got it.
> 
> JTL> This is my current lines, do I need to add others, or are the rules
within
> JTL> these codes? (I hold at 25 and delete at 35)
> 
> JTL> Is there a full list of codes on the web site?
> 
> JTL> SNIFFER-TRAVEL   external 04715  0
> JTL> SNIFFER-INSURANCEexternal 04815  0
> JTL> SNIFFER-AV-PUSH  external 04915  0
> JTL> SNIFFER-WAREZexternal 05025  0
> JTL> SNIFFER-SPAMWARE external 05130  0
> JTL> SNIFFER-SNAKEOIL external 05225  0
> JTL> SNIFFER-SCAMSexternal 05330  0
> JTL> SNIFFER-PORN external 05430  0
> JTL> SNIFFER-MALWARE  external 05520  0
> JTL> SNIFFER-ADVERTISING  external 05615  0
> JTL> SNIFFER-SCHEMES  external 05725  0
> JTL> SNIFFER-CREDIT   external 05825  0
> JTL> SNIFFER-GAMBLING external 05925  0
> JTL> SNIFFER-GREYMAIL external 06010  0
> JTL> SNIFFER-OBFUSCATION  external 06115  0
> JTL> SNIFFER-EXPERIMENTAL external 06220  0
> JTL> SNIFFER-GENERAL  external 06320  0
> 
> It looks like you have it covered.
> 
> There is a complete list here that we keep up to date:
> 
> <http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html>
> 
> I note a few discrepancies.
> 
> 56 you have as Advertising - ?? This has always been ink & toner and
> printing supplies... perhaps that's what you mean. There is no general
> advertising rule group - most spam is some kind of advertisement.
> 
> 60 is now Experimental IP rules. The gray hosting rule group has been
> retired and subsequent to that the Experimental IP rules were split
> away from the Experimental Abstract rules. Further, the processes we
> use to generate Experimental IP rules have changed quite a bit so that
> this rule group is much less prone to false positives than before and
> should continue to improve. Most IP rules are now added automatically
> through verification with other services and our own automated tests
> and then verified by a human. All Experimental IP rules still fall
> under the "One FP Gone" strategy where we eliminate these rules from
> the core on the first legitimate false positive report. (Eliminated IP
> rules prevent the IP from being added again except by manual
> override.)
> 
> I recommend that since your current EXPERIMENTAL weight is 20 and this
> group used to contain the EXP-IP rules which are now in group 60, you
> should rename your SNIFFER-GRAYMAIL to SNIFFER-EXP-IP and raise it's
> weight to 20.
> 
> I recommend that you rename your SNIFFER-EXPERIMENTAL to
> SNIFFER-EXP-ABST. You could probably raise this group to a weight of
> 25 since it no longer contains the EXP-IP rules.
> 
> Hope this helps,
> _M
> 
> 
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re[2]: [sniffer] Rule Strengths

[Pete McNeil]

On Saturday, July 31, 2004, 3:32:46 PM, John wrote:

JTL> (Moved to list)

JTL> Thanks, got it.

JTL> This is my current lines, do I need to add others, or are the rules within
JTL> these codes? (I hold at 25 and delete at 35)

JTL> Is there a full list of codes on the web site?

JTL> SNIFFER-TRAVEL external 04715  0
JTL> SNIFFER-INSURANCE  external 04815  0
JTL> SNIFFER-AV-PUSHexternal 04915  0
JTL> SNIFFER-WAREZ  external 05025  0
JTL> SNIFFER-SPAMWARE   external 05130  0
JTL> SNIFFER-SNAKEOIL   external 05225  0
JTL> SNIFFER-SCAMS  external 05330  0
JTL> SNIFFER-PORN   external 05430  0
JTL> SNIFFER-MALWAREexternal 05520  0
JTL> SNIFFER-ADVERTISINGexternal 05615  0
JTL> SNIFFER-SCHEMESexternal 05725  0
JTL> SNIFFER-CREDIT external 05825  0
JTL> SNIFFER-GAMBLING   external 05925  0
JTL> SNIFFER-GREYMAIL   external 06010  0
JTL> SNIFFER-OBFUSCATIONexternal 06115  0
JTL> SNIFFER-EXPERIMENTAL   external 06220  0
JTL> SNIFFER-GENERALexternal 06320  0

It looks like you have it covered.

There is a complete list here that we keep up to date:



I note a few discrepancies.

56 you have as Advertising - ?? This has always been ink & toner and
printing supplies... perhaps that's what you mean. There is no general
advertising rule group - most spam is some kind of advertisement.

60 is now Experimental IP rules. The gray hosting rule group has been
retired and subsequent to that the Experimental IP rules were split
away from the Experimental Abstract rules. Further, the processes we
use to generate Experimental IP rules have changed quite a bit so that
this rule group is much less prone to false positives than before and
should continue to improve. Most IP rules are now added automatically
through verification with other services and our own automated tests
and then verified by a human. All Experimental IP rules still fall
under the "One FP Gone" strategy where we eliminate these rules from
the core on the first legitimate false positive report. (Eliminated IP
rules prevent the IP from being added again except by manual
override.)

I recommend that since your current EXPERIMENTAL weight is 20 and this
group used to contain the EXP-IP rules which are now in group 60, you
should rename your SNIFFER-GRAYMAIL to SNIFFER-EXP-IP and raise it's
weight to 20.

I recommend that you rename your SNIFFER-EXPERIMENTAL to
SNIFFER-EXP-ABST. You could probably raise this group to a weight of
25 since it no longer contains the EXP-IP rules.

Hope this helps,
_M






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html