Well, I guess I will ruffle "someones" feathers again with my response here, but like your oringial message, I think we need to be honest here. This is not a message sniffer 'popularity' contest after all, we are paying customers and need to ensure SNF causes no False Postives.
Over the last few months, I've seen more an more false postives from Message Sniffer. The few that I sent to their FALSE address have always been challenged as legitimate. It's difficult at best for me to believe that our Local Newspaper and other legitimate sites that are classified by the SNF "EXPERIMENTAL-IP" rule are solid. As a result, I've constructed SA rules to counteract SNF False Postives. It got so bad within the last two weeks or so that I completely disabled SNF lookups to avoid complaints from our users. To add insult to injury, last year they drastically up the service price. Now my subscritpion is up for renewal. I am honestly thinking of NOT renewing it. IMO, seems that things have gone down hill since ARM bought the little company that could.... Couple that with two years worth of promises to update the MDaemon Plugin code, and all the various improvement that Spam Assassin and SARE rulesets have made... well I question if it's worth the inflated cost anymore. Shoot away Sniffer "Cheer-leaders"... at least I am being honest. -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Thursday, December 28, 2006 1:26 PM To: Message Sniffer Community Subject: [sniffer] Re: Rules for Large International ISPs Hi Pete, Thanks. Let me apologize for the accusatory tone of my message. Someone pointed out to me that my annoyance made me cross the line of being offensive. I would suggest to add some intelligence to the bot F001, where it compares implicated address ranges against a table of "excepted IPs", which you would build over time (or use some public sources of known-good IP ranges to get a start). I understand the reporting rate of false positives is low. But that may just be because most false positives simply are never reported. In my case, I couldn't use Sniffer to block outright - so for years I never worried much about false positives. Only very recently, I have tightened some weights AND I have improved the "reporting" to the point that it's now easier for me to spot certain false positives and have started to report them more consistently. Yet, I only review ONE out of a thousand mail boxes and many hundreds of domains - so chances are a large number of false positives are never even noticed by me on a daily basis (and I'm a very small operation). So - the FP rates might be misleading, because they only reflect REPORTED FPs - no one knows how tiny or possibly how huge UNREPORTED FPs might be. Consequently, it may be worthwhile to improve F001 as mentioned before. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, December 28, 2006 12:04 PM To: Message Sniffer Community Subject: [sniffer] Re: Rules for Large International ISPs Hello Andy, Thursday, December 28, 2006, 10:34:15 AM, you wrote: > Hi, > This morning I had to file to false positive reports because emails > from Wanadoo.FR and UOL.COM.BR were triggering "SNIFFER-IP". > I don't know if this is a coincidence or if this is a worrisome new > trend <snip/> Our IP rule coding policies have not changed in quite some time and the false positive rates for IP rules have dropped significantly since the last change. IP rules are now coded only by a specialized bot which has very strict rules and looks only at clean spamtraps for recurring abuse. > 20061228150347 16 0 Match 799799 63 1 48 75 > 20061228150347 16 0 Final 799799 63 0 1744 75 The above rule had been in place for 346 days without any false positive reports. The rule was coded by the previous robot and at the time was verified by 3 additional blacklists. > 20061228110558 15 16 Match 1235160 63 1 46 73 > 20061228110558 15 16 Final 1235160 63 0 2980 73 This was coded by the new bot (F001) approximately 28 days ago - no prior false positives. IP rules are currently coded by the F001 bot based on direct, repeated observations at clean spamtraps. IP rules are excluded on the first false positive report so that they cannot be reactivated without direct human intervention. It is not practical for us to keep tabs on, nor deeply research every possible IP that may be used by any large (or otherwise) ISP. Instead we have the above policy and very strict observational rules to prevent the addition of IPs that are likely to produce significant legitimate traffic and to quickly and permanently remove IPs that cause false positives. (some exceptions, of course, apply). It is inevitable that there will be a nonzero error rate - but that error rate is demonstrably small given our current process, and we are constantly researching and developing techniques to improve on that rate. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>