Katie LaSalle-Lowery wrote:
I have a situation I haven't seen before.
Declude logs show that the message failed Sniffer, which caused the
message to exceed our weight threshold and be deleted.
Sniffer logs show that the message did not fail Sniffer.
Actually that is not correct. The message did fail SNF with a "Caution"
result.
<s u='20090206143433'
m='c:\IMAIL\spool\proc\work\D4a6d019b000050e3.smd' s='40' r='0'/>
<p s='0' t='31' l='61394' d='37'/>
<g o='0' i='63.118.171.179' t='u' c='0.142858' p='0.5'
r='Caution'/>
</s>
The caution result (symbol 40) will resolve itself almost immediately in
most cases because the caution range in GBUdb is very "thin". When a
caution result is produced it indicates that there was no pattern match
but the IP is suspicious. Since the message did not match a pattern
result code the statistics for the IP are usually moved out of the
caution range on the first event.
How do I prevent recurrence of this false positive deletion?
Note that the statistics show this IP has produced spam about 75% of the
time (probability figure = 0.5). You may want to look into what other
messages this IP has sent to you that were filtered out - and why.
If you would like to be more lenient on your system (especially during
spam storms) then you could turn off the caution range or you could
adjust it's envelope settings.
Hope this helps,
_M
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
