[normally I avoid replying to everyone this far along, but this dialog appears to
still have broader value]
_M,
Ah, 70% of all mail is spam. Last time I checked, I was running over 60%, both are
high numbers compared to others I've seen, in the 35-45 range. The major difference
between the domains I've seem that would effect this amount is the number of years the
domains have been live/active. I understand your concerns ("For obvious reasons I
cannot disclose how we develop our spam traps"), how long (months/years) does it
generally take an exposed spamtrap to mature into a useful one?
>Typically the 8% not captured is made up of multiple copies of new spam in
>it's early phases of deployment. We have been increasing our update rates to
>compensate as our user base grows to support the extra effort.
Of this 8%, what proportion are pro's needing domain/IP blocks, and what proportion
are amateurs needing things more like content filters? When I first started, the
amateurs (yahoo.com, hotmail.com, and the like) were much harder to block but now that
I've countered most (not all) of their tactics, its the pro's that push through with
their new domains and IPs.
>For example, we
>once had a rule that would capture any numbered web link - unfortunately we
>discovered that a few legitimate lists will use numbered web links from time
>to time - so now we only filter for abstracted, specific web links with good results.
Good example, I did the same thing, only in reverse. I started with simplistic blocks
for just http://207. and http://61, noting that these are Asian based servers. Since
it has grown to include other class A ranges and generic domains, but is wielded only
within a weighted system.
>It is important to note that these statistics have
>no indication toward false positives.
>We do have a very low reported rate of false positives from our user base.
>Typically less than 4 false positives reported for every 6 days of operation
>across the entire userbase of more than 100 systems (so far). This reflects
>what a "tuned" system's false positive rate can be.
Yes, though their simplicity is part of their appeal, its simply a way to gather fresh
samples and see if the 'old' tests still work. My next step in the battle against FPs
will be having 2 Declude servers, one to build new tests on and weed out FPs using
domains that can afford them, then another with domains that get less monitoring and
need a higher level of care. 4 per week is amazingly low, but clearly shows what you
mean by tuned, may I ask how many months/years it took to get there?
>A "tuned" system is one
>that also takes into account white-list entries as required for the needs of
>that local system.
My use of whitelisting is a bit different. Rather than using it to avoid FPs, I've
let the FPs pile in, sometimes from the same domain for months, then cutting back the
teeth on the filters, refining them. whitelisting gets used only when making that cut
back would significantly weaken the filters in a way I consider to much; letting the
bad newsletter through so the similarly appearing spam does not.
>The chief error in this metric is that there is no control on how many false
>positives occurr that may not be reported.
How easy is it for your customers to monitor/review what gets caught?
>Currently, the
>one-size-fits-all system is designed not to be too strict for small ISP's
>while still being strict enough for most small corporate offices.
Do you see then, a difference between the kind of mail small business get and the kind
individual ISP customers get? If so, can the difference be defined, the nature of use
or type of email received?
>In the mean time Declude offers all of the additional flexibility required
>to tune this model for each local system.... Declude is by far the most flexible
>we've seen
Agreed, and it doesn't hurt that its creator is ready, able, and willing to adapt it
as issues arrise. Does your comment (tune this model) indicate you run seperate
configurations for different types or styles of customers?
>Implementing good spamtraps is a difficult, time consuming process that
>requires both skill and secrecy. If done badly you will recieve messages
>that are not unsolicited and you may have spammers abuse your spamtraps and
>mail systems to prevent you using them ... all sorts of ugly things can happen.
Ironically, it was my early attempts to combat spam that really burned my address. I
made thousands of reports to ISPs the world over, many of who forwarded my complaints
to the spammers in question, who in turn were not shy about polluting my address
further. Its a bit ironic that having gone through everything since, my total amount
of spam (that gets through) is now, despite all of that, much less than that first
time I looked at a header. I still have the 200 or so replies from ISPs telling me
they'd cancelled acounts. Ahh, the good ol'days...
Thanks
Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
