On 10/10/2009 08:55 PM, João Gouveia wrote:
Hi Warren,
If you don't mind me asking, how does this kind of comparison take into
account the dynamic nature of zombie infected machines? For example, an
IP address may be infected at some point, and be listed in XBL, but
later the client IP address changes (e.g. new DHCP lease) or simply gets
"cleaned" and eventually expires from XBL. If I remember correctly,
these comparisons are made using a spam/ham corpus that doesn't change
that often. Wouldn't that cause FPs or FNs that in a real time scenario
would not show up?
Right, these results are not entirely precise to reflect how these
blacklists behave right at this very moment. It is impressive however
that despite PSBL or XBL listing current active abusers, their numbers
demonstrate very high safety ratings.
If you look at the ruleqa URL and click on those individual rules you
can see how well those rules worked for the past week and 2nd week.
Those counts are closer to current results.
Warren Togami
wtog...@redhat.com
