[sniffer] Re: Significant increase in false positives

[Darin Cox]

Hi Pete,   You're exactly right, but we often get spoiled by the high quality of your detection rate.  It's easy to expect perfection when it means less work for us <g>.   Thanks for all you do to keep the quality so high. Darin.     ----- Original Message ----- From: Pete McNeil To: Message Sniffer Community Sent: Tuesday, October 17, 2006 8:42 AM Subject: [sniffer] Re: Significant increase in false positives Hello Computer, Monday, October 16, 2006, 11:09:03 PM, you wrote: > Dear Pete,   Sniffer blocked 35,000 messages today, and roughly 7200 of them were blocked by the 1174356 rule.   Do you think many of these were false positives?   Do you know a way of searching through 35,000 Imail messages to find the FP's ?   What would you suggest in this situation. This was not a bad-rule alert or rule-panic situation. Most of these messages were probably NOT false positives. The rule does have a higher rate than is acceptable (so it was dropped), but it doesn't catch every message with an image, and it does catch primarily image spam. If I felt strongly about researching this there would be 7200 to look through (not 35000) and I would probably only look through those that failed no other tests or were below some very low weight threshold otherwise - that would probably bring the number down into a range < 100 messages (based on what I've seen reported).  [ Educated guess items: > 80% of content is usually spam. On weekends this number is higher. This weekend there were some new, aggressive image spam campaigns - so the number of spam captured by a rule like this would be higher than normal rather than lower. The rule was essentially in place only during the weekend and only received FP reports late Sun through early Mon and some systems have reported no discernable increase in false positives during this period. 20% of 7200 is close to 150, so the conservative number likely not to be spam in that group is less than that (due to the weekend) so approximately 100 seems reasonable. If there are FPs then it is likely they failed no other tests. ] Hope this helps, _M --  Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>