2 thoughts from me:
1. Right on on the Nigerian scams, possible keeping these rules longer. As I was
forwarding out a Nigerian scam to the spam mailbox, I too wondered how long the
Nigerian rules were kept in play. I might also add Nigeria's twin sister the
International Lottery spam and Stock Spams might also be kept longer. I noticed an
increase in the Stock spams this week.
2. I've been tracking different character sets for a couple of weeks, the Chinese,
Cyrillic and Korean look promising. I get false hits on Greek, Thai, and Vietnamese
Headers.
Scott Fisher
Director of IT
Farm Progress Companies
>>> [EMAIL PROTECTED] 05/21/04 12:42PM >>>
Pete,
Our Hold range has returned to more normal territory on Thursday.
Here's the stats from the week as a whole on what has been very
consistent traffic. Out of all E-mail processed, both good and bad, the
%Hold represents what scored between 10-24 points on our system and
needed review, the %Sniffer represents all Sniffer hits except for Gray,
the %Spam is what we scanned and didn't deliver (generally about 99.8%
of spam is caught at a score of 10 which this is based on), and the
Sniffer/Spam is the percentage of Sniffer hits as a portion of messages
scoring 10 or more.
Day %Hold %Sniffer %Spam Sniffer/Spam
Mon: 1.86% 77.27% 80.37% 96.14%
Tue: 2.83% 74.53% 79.37% 93.39%
Wed: 2.13% 77.60% 79.66% 97.41%
Thur: 1.95% 76.50% 80.66% 94.84%
The only change that we made to our system was to add two smaller
domains later in the week, and we introduced filters for Cyrillic and
Chinese languages on Wednesday morning which have cut our hold file down
by 0.38 percentage points on Thursday, which explains how our %Hold is
lower on than on Wednesday with a lower Sniffer hit rate on spam.
I did note two high volume untagged static spammers on Tuesday that we
blacklisted locally, and that combined with the increase in Sniffer
change rates (spam storm) might account for the changes that I saw. I
am wondering though about the recommendations that you have made for
possibly fine tuning our rule base. Again though, please keep in mind
that I still feel that performance is overall very, very good.
One of my thoughts regarding minimum rule strengths and grace periods is
that all groups aren't necessarily the same. For instance Nigerian
scams are low volume and sporadic, and my system performs the worst on
these things. Maybe lower rule strengths and longer grace periods makes
much more sense for the Phishing category than it does for many other
categories for instance. Is that possible?
I also looked up the rule strengths on your site and found that about
50%, or maybe more, have a strength below 1, and maybe lowering that is
worth testing out so long as I don't massively increase the number of
records. I do think though that I would like to test out extending the
grace period. Most of my false positives are not on things that this
would affect, and that might give niche sources a little extra coverage
if I understand things correctly.
I'll follow your directions and contact you directly regarding any
affirmative changes, but I thought it might be beneficial to keep this
discussion public since some other stats hounds might find this
information to be of use :)
If you can glean anything from the numbers that I gave you, please add
your thoughts.
Thanks,
Matt
Pete McNeil wrote:
> At 05:00 PM 5/19/2004, you wrote:
>
> <snip/>
>
>> I haven't yet upgraded to the most recent release, I'm still on the
>> prior beta. I'll probably do that this evening. I tend to wait on
>> upgrades until there has been enough time for bugs to surface unless
>> I am already looking for a fix. I'm sure that the extra verification
>> of the rulebase will help prevent the potential of problems, and I
>> guess this has the possibility of being caused by a bit of corrupted
>> data, though that's probably reaching.
>
>
> There were no substantive changes from the beta to the production
> version. Largely just a removal of monitoring code.
>
>> Again, regardless if there was a blip, Sniffer still does a wonderful
>> job of tagging lots and lots of E-mail, just not quite as much as the
>> day before.
>
>
> Last night I was able to adjust the rule strength analysis window back
> to it's original settings. About 5 days of data were lost - but those
> days will be recovered quickly. Please let me know if this adjustment
> improved your conditions.
>
> I've noted that on a number of other lists there seem to be posts
> about a sudden increase in spam over the past few days. We are
> definitely seeing this also - approximately a 25% or more increase in
> new rule additions in the past 4 days:
>
> http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp
>
> Specifically note from about 4 days ago...
>
>
>Days Ago Adjustments
>-------- -----------
>
>0 356
>1 508
>2 391
>3 410
>4 410
>5 326
>6 309
>7 371
>8 292
>9 347
>10 309
>
>
>
> ( 5-10 : 1954/6 -> 325.67, 0-5 : 2075/5 -> 415, 325.67/415 -> 78.47 )
> Note that day 0 is not complete. So applying a "fudge factor" 78.4
> _looks like_ 75%.
> Besides, 92% of statistics are made up on the spot anyway %^b
> I think a number of things are combined here... I just want to get a
> good handle on them and make sure we are doing the best we can.
>
> I've noted, Matt, that your rulebase tuning parameters are set at the
> defaults. If you would like to adjust these to be more aggressive then
> please let me know off list (support@). More aggressive settings will
> keep more rules active in your rulebase at lower strengths and will
> also allow new rules more time to gain strength before being
> evaluated. Respectively the current defaults are:
>
> Minimum Rule Strength: 1.0
> Grace Period: 5 days.
>
> Adjusting these settings can significantly increase the size of your
> rulebase file.
>
> Best,
> _M
>
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
