As one of the earlier testers and helped develop the variable scale of Alligate, I can understand your position. I have a client that gets a lot of e-mail from the Far East and a lot of bcc broadcasts and lists. Many of these show elements of spam, but are legit. That is what makes it hard.
There are a number of adjustments available in Alligate. You might want to look over my config file I posted earlier today. One thing I do for this specific issue is I use 2 programs. One is Match, which is very simple but does need to be revised. The other is AutoWhite. A 30 demo of AutoWhite is available at www.eservicesforyou.com/products/autowhite.html. Match is free. While everyone can have a unique setup, please let me know if you would like to spend some time going over the possible configurations in Alligate. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Matthew Bramble > Sent: Wednesday, August 20, 2003 1:20 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions? > > I've been a Declude Virus and JunkMail customer for about a year and a > half now. At first the spam blocking was just something that only a few > of my ~250 users (hosting) found beneficial, but in the last 6 months I > have had to continually push the limits with the tests in order to keep > it from overwhelming real E-mail. I've been asked by several customers > in the last few months if there is anything that I can do about the > spam...and my reply is that we are already blocking +80% of all E-mail > coming into the server (no kidding, I've run the stats, Sobig.F is > making it even worse). > > My problem has now become more of an issue with false positives, mostly > with opt-in advertising, automated information updates and newsletters, > with the former two being somewhat mission critical for many of my > customers. I'm at a point where adjusting the scoring to allow one > problematic sender in results as many as 100 spams getting through as > well, and at the same time, the spam that is being sent is getting > better at passing the tests, maybe because they are using zombie relays. > > So I'm looking at heuristics now, Alligate and Message Sniffer, in order > to help solve the problem. I've started testing Alligate as of > yesterday, and frankly, I'm not that impressed when it comes to > enhancing Declude. Some of my observations are as follows: > > 1) Many of the RFC related tests that Declude does seem to be done in > Alligate as well, but there seems to be no easy way to fine tune them. > This results for instance in a Base64 message failing two tests instead > of just one (yes, this is an issue for one sender). Is it advised to > turn off similar functionality in Declude and just rely on Alligate? > > 2) Alligate absolutely hates almost anything that is automated. Opt-in > advertising, automated information updates and newsletters are more > problematic with Alligate as it would appear. I would think that this > company would have a whitelist of sorts that covered all the > medium-large players, but it doesn't appear that way (maybe because it's > a newer service). > > 3) I'm using built in IIS 4.0 functionality to generate E-mail from > scripts (CDONTS), and Alligate pretty much barfed on someone's valid > resume submission, scoring it a 65 for failing just one test, "Bogus > envelope information." I'm thinking that this is because the mail is > sent with the user provided E-mail address, and that shouldn't need to > be changed. This is unacceptable. > > 4) I've noted in going over the rejections that it frequently scores > messages very high for adult content despite the message having no such > content. This worries me about the accuracy and weighting that they are > using. > > So the end result seems that in order to protect from false positives, > I've had to turn down several scores from the core Declude tests, and > that doesn't provide any real enhancement. I would imagine that with > some fine tuning, removing tests that are repeated, I could improve > detection slightly, but my gut tells me it isn't worth it at this > point. I'm hoping that others here could confirm my observations and > provide any guidance if you feel it is salvageable. I have seen the > recommendation for the variable scale that another member posted, and > that should help. > > I'm also about to start testing Message Sniffer (after Alligate) so that > I can determine which one of the two if either will be purchased and > installed. Any feedback about that application in comparison, the > accuracy, and the isolation from Declude's own tests would be > appreciated. I'm under the belief that pure heuristics with an > integrated blacklist is really what's needed. > > Thanks, > > Matt > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
