Richard Stupek wrote:
A question about using the XCI <bad> command. Assume an email passes
through sniffer and does not trigger any rules, I then run it through
and determine it is in fact spam. I send a <bad> command to let
sniffer know the IP address had a bad event. Won't the <good> event
that would occur due the spam passing through nullify the bad event?
It won't nullify it, but it will balance it off.
Should I post 2 bad events for each mail that is caught after sniffer?
That may actually work against you because each event increases the
confidence figure. One of the surprises we discovered as we began
deploying GBUdb was that some legitimate sources can produce spam at
rates well above 85%!! In order to avoid false positives our
conservative settings have to be extremely high. They can be adjusted by
each system administrator but this is not commonly done (yet) as far as
I know.
http://www.armresearch.com/support/articles/technology/GBUdb/referenceSettings.jsp
We have researched this "even rewrite" scenario and have discussed
creating "flip" and "flop" events to switch good events to bad and bad
events to good respectively.
In the mean time you can simulate that functionality by using the test
and set functions.
Test the IP to get the good and bad count data. Then calculate the
values you want to see by subtracting a point from the good event count
and adding a point to the bad count. Then set the counts for the IP with
the new values.
http://www.armresearch.com/support/articles/software/snfClient/commandLine.jsp#performIPTesting
http://www.armresearch.com/support/articles/software/snfClient/commandLine.jsp#updateGBUdb
Best,
_M
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
