Lowest result code wins with Sniffer, 63 is the highest score currently,
and these rules are going in a place where formerly they were only
IP's,so you shouldn't need to adjust anything. I would imagine that
refinement should improve accuracy in the IP rules, though I don't
believe that it will be near perfect.
I do however want to voice my general and ongoing concern about
automation and extracting IP's from spamtraps. This can be done, but
one must be very careful to remove legitimate or compromised hosts, and
most that don't bother to do so are even worse than SpamCop when it
comes to listing ISP's and the like.
For a good picture of whether a host is spammy, one should also look at
all of the good traffic, and make sure that there is a huge sample of
data to work with. Alternatively, one should be checking for things
such as the host being legitimate (does it answer with a name that
matches the reverse DNS or HELO that it gave you, does it have "mail" in
the name, etc.). Also, it makes sense to have different qualification
mechanisms for zombie spam and static spammers since their heuristics
are quite different and can be targeted more effectively and more
accurately with mechanisms built to their patterns.
I do fear that automation of this sort, unless it is done in a very
reserved manner (throwing out what can't be almost absolutely
confirmed), will result in foreign hosts being caught, and large
ISP's/E-mail providers much in the same way as they have been. CBL
takes the reserved approach and is therefore much, much more accurate
than SpamCop, yet their results aren't that far off the last I checked.
CBL primarily targets zombies with their methods, and they do this
because it is much easier to find a sign of an illegitimate host (that
also hit a spamtrap).
Matt
Jay Sudowski - Handy Networks LLC wrote:
There's been at least one FP ;)
----------
Rule - 861038
Name F001 for Message 2888327: [216.239.56.131]
Created 2006-03-02
Source 216.239.56.131
Hidden false
Blocked false
Origin Automated-SpamTrap
Type ReceivedIP
Created By [EMAIL PROTECTED]
Owner [EMAIL PROTECTED]
Strength 2.08287379496965
False Reports 0
From Users 0
[FPR:B]
The rule is below threshold, and/or badly or broadly coded so it will be
removed from the core rulebase.
------------
My concern with automated IP rule coding is that we use Sniffer because
it's extremely accurate. Coding rules linked to IPs, particularly IPs
that are used by google or any large ISP to send large amounts of
(mostly legitimate) email is contrary to what Sniffer is great at, which
is tagging spam that no one else is.
Is response code 63 going to be utilized for any other purposes? If
not, I will let Declude know to weight these responses lower than normal
Sniffer.
- Jay
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Monday, March 06, 2006 3:00 PM
To: sniffer@sortmonster.com
Subject: [sniffer] New Rulebot F001
Hello Sniffer folks,
The first of the new rulebots is coming online.
Rulebot F001 creates IP rules for sources that consistently fail
many tests while also reaching the cleanest of our spamtraps.
The rules will appear in group 63.
The bot is playing catchup a bit (since there have been few IP rules
at all since we disabled the old bots).
The algorithms used in this bot have been tested manually for 2
weeks with no false positives.
Expect an increase in your rulebase size while F001 catches up with
current spamtrap data.
Thanks,
_M
Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)
Chief Scientist (www.armresearch.com)
This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
