Re: [Declude.JunkMail] Combo Filter

[Matt]

Title: Message

My experience is that SNIFFER-GENERAL and SNIFFER-EXPERIMENTAL are the two common names for the tests that produce the most such false positives.  SNIFFER-GENERAL contains user submitted spam that wasn't already tagged, and unfortunately the userbase tends to report what I consider to be legitimate advertising, and/or the rules generated are overly generic and can hit both the good and the bad.  SNIFFER-EXPERIMENTAL is where most new rules are generated from the spamtraps, and due to the cross checking/qualifying primarily with SURBL, a domain that might have temporarily been a false positive in SURBL can end up living much longer in SNIFFER-EXPERIMENTAL than it does in SURBL. On my system in order to lessen the impact of these things, I have been collecting CIDR ranges and reverse DNS entries for bulk-mail services as well as individual bulk-mailers (such as amazon.com, etc.) so that I can treat this E-mail differently by disabling/crediting back points for certain tests.  It was a huge undertaking, but it was very much worth it since there seemed to be a never ending stream of random false positives and I got sick of whitelisting E-mail campaigns one at a time.  I still score Sniffer at full points for these things, but I credit back points for tests that are primarily targeted at zombies such as BADHEADERS.  Essentially it takes a hit from at least two of SURBL, SNIFFER and SPAMCOP to block one of these whereas before just one of these would result in blocking when combined with the other types of tests.  I also segregate blocked E-mail from this classification so that it isn't mixed in with the unspecified held messages, making it easier to do review. Matt Markus Gufler wrote: Matt   for this case I recommend using   TESTSFAILED END CONTAINS SNIFFER-TRAVEL TESTSFAILED END CONTAINS SNIFFER-INSUR TESTSFAILED END CONTAINS SNIFFER-AV TESTSFAILED END CONTAINS SNIFFER-MEDIA TESTSFAILED END CONTAINS SNIFFER-SWARE TESTSFAILED END CONTAINS SNIFFER-SNAKE TESTSFAILED END CONTAINS SNIFFER-SCAMS TESTSFAILED END CONTAINS SNIFFER-PORN TESTSFAILED END CONTAINS SNIFFER-MALWARE TESTSFAILED END CONTAINS SNIFFER-INK TESTSFAILED END CONTAINS SNIFFER-CREDIT TESTSFAILED END CONTAINS SNIFFER-CASINO TESTSFAILED END CONTAINS SNIFFER-OBFUSC TESTSFAILED END CONTAINS SNIFFER-GENERAL and maybe also   TESTSFAILED END CONTAINS SNIFFER-RICH   instead of   TESTSFAILED 10 CONTAINS SNIFFER   ...for the initial end statement(s) in the combo-filter.   This because only two or tre SNIFFER exit codes seems not to bee very reliable (even if they are still good): 61, 63 and maybe also 57.   Markus   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 12, 2006 10:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi,   Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER.   Thanx   Goran Jovanovic Omega Network Solutions