Re:[sniffer] Test ordering/precedence

Thu, 02 Dec 2004 18:42:18 -0800

Where can i find examples of using "exit codes" to assign different weights depending on groupes, when using sniffer with declude/imail ?
TIA




----- Original Message ----- From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jim Matuska" <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 2004 9:59 PM
Subject: Re[2]: [sniffer] Test ordering/precedence


On Thursday, December 2, 2004, 4:15:43 PM, Jim wrote:

JM> Pete,
JM> We have rules setup in declude based upon sniffer return codes 60 and 62 to
JM> mark all messages with those tests as spam, however we do not have any 61 or
JM> 62 return codes setup. Can you briefly explain what each of these groups
JM> includes and a false positive rate for each.

The false positive rates for all of these rule groups have fallen
dramatically over the past 8 months and at this point they are all
comparable. Different systems see different rates, but all rates are
low.

Group 63 - Experimental Received [IP] - contains rules that match
Receive headers by IP. These are now largely generated by robots which
monitor inbound spamtrap and usertrap data and then test those
sources. This group used to provide the second largest rate of false
positives. The rate now is roughly the same as any other group.

Group 62 - Obfuscation - contains rules built to detect obfuscation
techniques. Internally this group breaks down into a number of
sub-groups which detect unnecessary URL encoding, HEX encoding, and
HTML obfuscation patterns.

Group 61 - Experimental Abstract - contains rules that are designed to
recognize data patterns and structures found in spam. For example
errors in headers combined with message structures,  misspellings,
unusual uses for table and HTML structures or message segments, and
other abstract patterns that result from the use of scripting engines
to generate polymorphic spam.

Note: Group 60 was Gray-Hosting many months ago. That group was
retired and then reused. Now it is being renumbered again.

Group 60 - General (Ungrouped) - contains many of the same kinds of
rules found in other groups, but particularly those which cannot be
accurately categorized there. For example, fake diploma spam. These
rules are largely text segments, domains, URI/URL segments, and
structures (much like those found in group 61).

Hope this helps,
_M



This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

Reply via email to