Matt,
Thank you very much. This is a help as it gives me some insight on what
can be done. My desire (however unrealistic it might be) is to have a
hold size that not a lot of messages fall into, because if they do then
I have to review them manually.
Since I am starting I am going to keep things loser so that I do not
delete real stuff and as I learn more I will tighten the screws.
Thanx again
Goran Jovanovic
The LAN Shoppe
2345 Yonge Street, Suite 302
Toronto, Ontario M4P 2E5
Phone: (416) 440-1167 x-2113
Cell: (416) 931-0688
E-Mail: [EMAIL PROTECTED]
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matt
> Sent: Saturday, April 17, 2004 10:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Mark vs Hold vs Delete
>
> Personally I hold at 10, 13, or 16 (High, Medium or Low) and drop at
> 25. I'm not a fan of marking the subject lines for delivered
messages.
>
> If you work hard to keep all of your false positives below 25, you can
> then monitor this range with a fair amount of ease, and you will need
to
> do that anyway in order to adjust your system. On my system we are
> currently holding about 5% between 10 and 24, however most clients are
> set to a hold of 13. With a bit of work maintaining a private DNSBL,
> you can reduce your hold file to less than 2%. This give you a 150%
> buffer, and in reality, it's rare that we see a false positive above a
> 20, but this allows us to catch such things.
>
> It takes a lot of time, but you should pay special attention to what
> combination of tests results in your false positives. I used to FP on
a
> much higher amount of legitimate advertising when I had SpamCop scored
> at 9 points (with 3 points of negative weight possible). So anything
> that got SpamCopped only took something like a hit on BADHEADERS to
> fail, and that's not good. For those that have added SURBL like
> yourself, you should keep in mind that this is generated from SpamCop
> data, and you should score it lower because it could compound some of
> the false positives. This is the same principle as GIBBERISH and
> GIBBERISHSUB, when something FP's on one filter, there's a decent
enough
> chance of it hitting both filters and therefore you should score them
as
> a set instead of in isolation.
>
> Another very important element is setting yourself up with a system
for
> crediting problematic senders. When I can't get a legit source off of
a
> DNSBL (CBL for instance makes this quite easy, but you should verify
> first if they are actively spamming or leaking viruses), you should
have
> a filter set up with variable weights to credit those sources. With
not
> too much effort this practice has cut my false positives down by by 10
> times. If you host multiple domains, adding per-domain whitelist
> entries for senders not likely to E-mail other domains on your server
> can save resources. I created a little app in ASP which stores
samples
> of false positives in a database as well as filter settings, so when I
> want to add a domain to my credit filter system, I just enter some
> information in a Web page and press publish. I formerly just made
> entries in a filter file but commenting every entry seemed to be
> overkill, and if you don't add comments, you will very likely forget
why
> you were crediting a particular sender. When I credit a sender, I
> typically give them enough to take them to a score of -2 on my system
> unless they were SpamCopped in which case I let them score -2 plus
what
> I give SpamCop.
>
> I've found that there are very few people that approach their system
the
> same way, so do whatever you feel most comfortable with and
understand.
> My personal recommendation would be to target a hold weight of 10 with
a
> drop weight high enough so that all false positives land in hold, and
> then tighten your system so that you can lower the drop weight and
catch
> more spam without creating significantly more false positives.
Domains
> used exclusively for business and don't have much legit advertising or
> newsletters being sent are incredibly easy to manage in my experience.
> A domain with a lot of 40+ year old women that love deal sites,
> newsletters, greeting cards and ecommerce though can be a huge
> headache. My most problematic domain has just 10 addresses while I
> almost never have any problems with several domains approaching 100
> users or above, and this is purely based on the way that they use
their
> E-mail.
>
> Hope that helps.
>
> Matt
>
>
>
>
>
> Goran Jovanovic wrote:
>
> >Does the following make sense in terms of how to deal with SPAM?
> >
> >I am using the default weights for all the tests. I have added a
bunch
> >of Matt's filters, added the SURBL test, changed CBL & BLITZEDALL to
the
> >SBL-XBL test.
> >
> >I am thinking that I will MARK SPAM at 10, HOLD at 20 and DELETE at
30
> >(hopefully bringing it down to 25).
> >
> >Do you folks mark and send some mail to users, hold some and delete
> >some? Or do you just hold and delete? If you can share some weight
> >ranges with me I would appreciate.
> >
> >Thanx
> >
> >
> > Goran Jovanovic
> > The LAN Shoppe
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list. To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail". The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
>
> --
> =====================================================
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =====================================================
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
