On Wednesday, March 30, 2005, 10:35:52 PM, Darin wrote: DC> Pete, DC> � DC> Have�you make�significant changes to the sniffer rulebase in the past couple of days? DC> � DC> I'm seeing a _huge_ reduction in hold queue messages... DC> roughly down 65%...�while total message volume is steady.� Only DC> thing I can figure is that the rulebase is suddenly identifying DC> most of the messages that fail other tests as well, pushing most DC> over the delete limit.... or other tests like SpamCop, DC> Mailpolice, etc.�have made significant changes...� I've checked a DC> few sites for news, but am not seeing anything new. DC> � DC> The sudden change has me a wee bit concerned...cautiously optimistic, but concerned.
THis might be better asked on the Sniffer forum rather than Declude's though I'm sure they don't mind. The only thing I can think of is that there has been a greater use of message fragment rules over the past few days in response to some of the newer campaigns. I wouldn't call that a radical change - but it has been a moderately heavy shift. In particular there is a new snake oil campaign that is using a number of randomized obfuscated segments in their message and we've been capitalizing on that. I don't see any significant shifts in the statistics. What I do see is a subtle change in the shape of the new rule capture curve (see the left side of this chart): http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp I have also seen higher spam rates and SNF capture rates in recent MDLP data on our system: http://www.sortmonster.com/MDLP/MDLP-Example-Short.html What counts in cases like these are false positive rates... If it seems that we're catching a lot more spam then lets be sure it really is spam. So far FP rates are nominal though there is a spike yesterday in the number (this appears to be an automated system that submits FPs from users -- the batch contains a larger than usual number of duplicate submissions -- this happens from time to time with this customer). http://www.sortmonster.com/MessageSniffer/Performance/FalseReportsRates.jsp Hope this helps, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
