I would suggest combo-ing sniffer with other tests - and make the penalty very small at first until you gain confidence in the results.
-Nick Here is a old sample combo-sniffer.txt file - use it as a guide - not in production.. SKIPIFWEIGHT 26 TESTSFAILED END NOTCONTAINS EXTERNAL.SNIFFER TESTSFAILED 2 CONTAINS F5SPAMMONKEY TESTSFAILED 2 CONTAINS 10SPAMMONKEY HEADERS 5 CONTAINS X-Alligate-AddrSpace: Failed TESTSFAILED 2 CONTAINS FILTER.ALLIGATE TESTSFAILED 4 CONTAINS FILTER.STATICSPAMMER_MAILFROM COUNTRIES 6 CONTAINS CN COUNTRIES 6 CONTAINS KR COUNTRIES 6 CONTAINS CH TESTSFAILED 6 CONTAINS FILTER.BADCOUNTRYNORVDNS TESTSFAILED 2 CONTAINS FILTER.COMBO.SUSPECIOUS TESTSFAILED 5 CONTAINS FILTER.DYNA TESTSFAILED 8 CONTAINS FILTER.INVESTMENT TESTSFAILED 5 CONTAINS FILTER.LOTTERY TESTSFAILED 3 CONTAINS FILTER.MORTGAGE TESTSFAILED 5 CONTAINS FILTER.HEALTH_INS TESTSFAILED 5 CONTAINS FILTER.NIGERIAN.SCAM TESTSFAILED 2 CONTAINS FILTER.REV_DNS TESTSFAILED 3 CONTAINS IP4R.SBL TESTSFAILED 2 CONTAINS IP4R.SPAMCOP TESTSFAILED 2 CONTAINS IP4R.XBL TESTSFAILED 3 CONTAINS IPFILE.HOSTS TESTSFAILED 9 CONTAINS IPFILE.KILL TESTSFAILED 3 CONTAINS IPFILE.NETWORKS TESTSFAILED 6 CONTAINS IPFILE.SUSPICIOUS.HOST TESTSFAILED 2 CONTAINS IPFILE.SUSPICIOUS.NETWRK TESTSFAILED 3 CONTAINS XBL( TESTSFAILED 3 CONTAINS TEST.DYNHELO TESTSFAILED 3 CONTAINS TEST.ROUTING TESTSFAILED 1 CONTAINS TEST.SPAMHEADERS TESTSFAILED 3 CONTAINS TEST.BADHEADERS TESTSFAILED 3 CONTAINS TEST.REVDNS TESTSFAILED 3 CONTAINS IP4R.ZENSPAMHAUS MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ---------------------------------------- From: "IMail Admin" <imailad...@bcwebhost.net> Sent: Friday, April 08, 2011 3:51 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX Thanks. Now that you've posted this I have to apologize because I recall reading this years ago. The problem I'm struggling with is that I get a lot of spam that fail many tests and ends up being deleted, but I also get a lot of true spam that fails only one test, usually Sniffer, and I'd like to find test(s) that would incrementally confirm the spam and push it to the next threshold. For example, I weight Sniffer at 8, so I get a lot of spam that score 8. They're true spam, but the other tests don't confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). Any suggestions welcome. Thanks, Ben From: Nick Hayer Sent: Friday, April 08, 2011 12:23 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm ---------------------------------------- From: "IMail Admin" <imailad...@bcwebhost.net> Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX In all this work on inv-uribl, I realized that my system scores 0 for NOLEGITCONTENT and IPNOTINMX. I would just be following the default, so that leads to the question: what is the purpose of these tests and do other people assign them scores? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
