On Thursday, April 14, 2005, 8:50:12 AM, Joey wrote: JP> Can someone please explain to me why, if an email is flagged as spam by JP> Sniffer, I shouldn't just delete it outright? Are there instances where JP> Sniffer is wrong? Or is this the way you all use it already?
JP> Reason I ask is that I have Sniffer setup with a weight of 10...and I hold JP> messages with a weight of 10-14. This morning I got a Nigerian-type scam JP> that sniffer flagged, but it only scored a total weight of 5. I'll have to JP> check through my global.cfg when I get back from my 9am meeting, but JP> something added a weight of -5 somewhere, meaning the email got JP> through. If I had deleted all Sniffer-found spam outright, this would not JP> have happened. JP> Thoughts? ... Just adding to the thread... First, I agree with Nick & Don ... As much as we try to make SNF perfect, the definition of it's design, and the fact of any spam test dictate that there will be some error rate. For example, our false positive handling process is based on our best guess about the consensus of all of our customers.... "Do most of the people we serve agree with this rule? Is that agreement worth the risk of a false positive?" These questions are answered primarily by statistics... The point is that there is a gray area where some folks will always find a false positive (and we generally will adjust their rulebase accordingly). That somebody could be you :-) So it is safest NOT to delete on SNF, or for that matter any single test - even if that will lead to some spam getting through. This is one of the key benefits of Declude is it's weighting system. That said, the best practice (as I observe it) is to always hold on SNF and to delete on a specific weight that is high enough to include at least two other tests. Using this strategy, any FP generated by SNF will still be around to be noticed if it is discovered - either by review or by a customer asking why some message appears to be missing. The message can then be recovered, a false positive report made, and appropriate adjustments implemented. In your scenario you might want to set the weight of SNF higher so that the -5 might still keep the message in your hold range. This might force you to adjust your upper limit on the hold weight, but it's a decent compromise I think. In the end only you can know for sure what is the best strategy for your system. All of this is a balance of resources and risks. There are many happy systems out there that do regularly delete messages on a single test - for example IMGate which has been debated widely. While I would not recommend deleting a message solely on SNF as a general practice, clearly there is room for this strategy on some systems. Hope this helps, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
