If you work hard to keep all of your false positives below 25, you can then monitor this range with a fair amount of ease, and you will need to do that anyway in order to adjust your system. On my system we are currently holding about 5% between 10 and 24, however most clients are set to a hold of 13. With a bit of work maintaining a private DNSBL, you can reduce your hold file to less than 2%. This give you a 150% buffer, and in reality, it's rare that we see a false positive above a 20, but this allows us to catch such things.
It takes a lot of time, but you should pay special attention to what combination of tests results in your false positives. I used to FP on a much higher amount of legitimate advertising when I had SpamCop scored at 9 points (with 3 points of negative weight possible). So anything that got SpamCopped only took something like a hit on BADHEADERS to fail, and that's not good. For those that have added SURBL like yourself, you should keep in mind that this is generated from SpamCop data, and you should score it lower because it could compound some of the false positives. This is the same principle as GIBBERISH and GIBBERISHSUB, when something FP's on one filter, there's a decent enough chance of it hitting both filters and therefore you should score them as a set instead of in isolation.
Another very important element is setting yourself up with a system for crediting problematic senders. When I can't get a legit source off of a DNSBL (CBL for instance makes this quite easy, but you should verify first if they are actively spamming or leaking viruses), you should have a filter set up with variable weights to credit those sources. With not too much effort this practice has cut my false positives down by by 10 times. If you host multiple domains, adding per-domain whitelist entries for senders not likely to E-mail other domains on your server can save resources. I created a little app in ASP which stores samples of false positives in a database as well as filter settings, so when I want to add a domain to my credit filter system, I just enter some information in a Web page and press publish. I formerly just made entries in a filter file but commenting every entry seemed to be overkill, and if you don't add comments, you will very likely forget why you were crediting a particular sender. When I credit a sender, I typically give them enough to take them to a score of -2 on my system unless they were SpamCopped in which case I let them score -2 plus what I give SpamCop.
I've found that there are very few people that approach their system the same way, so do whatever you feel most comfortable with and understand. My personal recommendation would be to target a hold weight of 10 with a drop weight high enough so that all false positives land in hold, and then tighten your system so that you can lower the drop weight and catch more spam without creating significantly more false positives. Domains used exclusively for business and don't have much legit advertising or newsletters being sent are incredibly easy to manage in my experience. A domain with a lot of 40+ year old women that love deal sites, newsletters, greeting cards and ecommerce though can be a huge headache. My most problematic domain has just 10 addresses while I almost never have any problems with several domains approaching 100 users or above, and this is purely based on the way that they use their E-mail.
Hope that helps.
Matt
Goran Jovanovic wrote:
Does the following make sense in terms of how to deal with SPAM?
I am using the default weights for all the tests. I have added a bunch of Matt's filters, added the SURBL test, changed CBL & BLITZEDALL to the SBL-XBL test.
I am thinking that I will MARK SPAM at 10, HOLD at 20 and DELETE at 30 (hopefully bringing it down to 25).
Do you folks mark and send some mail to users, hold some and delete some? Or do you just hold and delete? If you can share some weight ranges with me I would appreciate.
Thanx
Goran Jovanovic The LAN Shoppe
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
