That's right. :-)
Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be "tuned" for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served.
Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times.
Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol.
Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message.
If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address.
Thanks,
_M
At 10:20 PM 12/3/2003, you wrote:
Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured):
SNIFFER-WHITELIST external 000 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" -5 0 SNIFFER-TRAVEL external 047 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 07 0 SNIFFER-INSURANCE external 048 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-AV-PUSH external 049 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 07 0 SNIFFER-WAREZ external 050 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-SPAMWARE external 051 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-SNAKEOIL external 052 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-SCAMS external 053 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-PORN external 054 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 12 0 SNIFFER-MALWARE external 055 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 12 0 SNIFFER-ADVERTISING external 056 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-SCHEMES external 057 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-CREDIT external 058 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-GAMBLING external 059 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 10 0 SNIFFER-GREYMAIL external 060 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 07 0 SNIFFER-OBFUSCATION external 061 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 12 0 SNIFFER-SPAM external 062 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 07 0 SNIFFER-GENERAL external 063 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode" 12 0
You would need to adjust the weights to fit your own needs. However, this will at least give you a starting point.
Bill
----- Original Message ----- From: "T. Bradley Dean" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 03, 2003 6:43 PM Subject: RE: [Declude.JunkMail] sniffer
How does Sniffer work?
Their web page says:
"In the best implementations allow you to assign a weight to each possible result code. Declude, mxGuard, and SpamAssassin are all good examples of systems that allow weights to be assigned to the result codes from Message Sniffer."
So if Sniffer says an email is porn spam then it gets a weight of 10, but if it's web hosting spam then it's 8? Does the weight differ depending on how confident Sniffer is?
What do these rules look like in Global.cfg on $Default$.junkmail?
~Brad
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Tuesday, December 02, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer
Sniffer's well worth the $300.00 per year. That breaks down to less than $1.00 per day.
It catches content that some RBLs don't catch.
Mark
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Keith > Anderson > Sent: Tuesday, December 02, 2003 10:28 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] sniffer > > > It's not worth paying the subscription fee, in my opinion. I have a > client that's paying for it, and it doesn't catch very much that isn't > already caught somewhere else. > > > I am considering Maps too. But it's $1500/yr. Anyone using them? > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. >
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
