Hi Antony, I have an ongoing collection of Blacklists since Jan 1 ,2016. This way I would know how long it has stayed on the Blacklist.
"Dealing with email "after the event" (especially with regard to blacklists) will give you very different results from dealing with it as it happens, if for no other reason than the spam which you and lots of other mail admins receive is the very trigger which causes the IP address to go onto the blacklist." This the exact reason why I use Mailinator (which has some problems, refer previous mails in this thread), I get a live flow of mails. And I agree that there is no point evaluating my study on after the event mails. To evaluate the performance of my study I am using SA. On Tue, May 31, 2016 at 10:44 AM, Antony Stone < antony.st...@spamassassin.open.source.it> wrote: > On Tuesday 31 May 2016 at 15:47:56, Shivram Krishnan wrote: > > > I am using SA as an oracle for Blacklisting. Our research concerns with > > combining multiple sources of blacklist and also consider the historical > > importance of an IP in a blacklist to create a very effective master > > blacklist. > > > > Let me give you an example. > > Suppose an IP address 1.2.3.4 appeared on Jan 1 ,2016 in Blacklist A. > > 1.2.3.4 stayed on Blacklist A for about 12 hours. > > > > We have developed a system which assigns a score to 1.2.3.4. If the score > > allocated to 1.2.3.4 is high we include it in our Master Blacklist. > > > > To evaluate the performance of the master Blacklist in terms of hitrate > and > > false positives we plan to use SA. > > How do you plan to find out when 1.2.3.4 appeared on the blacklist, and how > long for, if you are not dealing with live mail flowing through a real mail > server? > > Dealing with email "after the event" (especially with regard to blacklists) > will give you very different results from dealing with it as it happens, > if for > no other reason than the spam which you and lots of other mail admins > receive > is the very trigger which causes the IP address to go onto the blacklist. > > I think you should try to show in advance that your methods, and what you > are > measuring, are a valid way of assessing spam from different addresses, in > order > for the study to be useful. > > > Regards, > > > Antony. > > -- > If you were ploughing a field, which would you rather use - two strong > oxen or > 1024 chickens? > > - Seymour Cray, pioneer of supercomputing > > Please reply to the > list; > please *don't* CC > me. >
