My problem has now become more of an issue with false positives, mostly with opt-in advertising, automated information updates and newsletters, with the former two being somewhat mission critical for many of my customers. I'm at a point where adjusting the scoring to allow one problematic sender in results as many as 100 spams getting through as well, and at the same time, the spam that is being sent is getting better at passing the tests, maybe because they are using zombie relays.
So I'm looking at heuristics now, Alligate and Message Sniffer, in order to help solve the problem. I've started testing Alligate as of yesterday, and frankly, I'm not that impressed when it comes to enhancing Declude. Some of my observations are as follows:
1) Many of the RFC related tests that Declude does seem to be done in Alligate as well, but there seems to be no easy way to fine tune them. This results for instance in a Base64 message failing two tests instead of just one (yes, this is an issue for one sender). Is it advised to turn off similar functionality in Declude and just rely on Alligate?
2) Alligate absolutely hates almost anything that is automated. Opt-in advertising, automated information updates and newsletters are more problematic with Alligate as it would appear. I would think that this company would have a whitelist of sorts that covered all the medium-large players, but it doesn't appear that way (maybe because it's a newer service).
3) I'm using built in IIS 4.0 functionality to generate E-mail from scripts (CDONTS), and Alligate pretty much barfed on someone's valid resume submission, scoring it a 65 for failing just one test, "Bogus envelope information." I'm thinking that this is because the mail is sent with the user provided E-mail address, and that shouldn't need to be changed. This is unacceptable.
4) I've noted in going over the rejections that it frequently scores messages very high for adult content despite the message having no such content. This worries me about the accuracy and weighting that they are using.
So the end result seems that in order to protect from false positives, I've had to turn down several scores from the core Declude tests, and that doesn't provide any real enhancement. I would imagine that with some fine tuning, removing tests that are repeated, I could improve detection slightly, but my gut tells me it isn't worth it at this point. I'm hoping that others here could confirm my observations and provide any guidance if you feel it is salvageable. I have seen the recommendation for the variable scale that another member posted, and that should help.
I'm also about to start testing Message Sniffer (after Alligate) so that I can determine which one of the two if either will be purchased and installed. Any feedback about that application in comparison, the accuracy, and the isolation from Declude's own tests would be appreciated. I'm under the belief that pure heuristics with an integrated blacklist is really what's needed.
Thanks,
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
