Hi all,
(apologies in case you receive this message twice. I used a different
sender address the first time, and since it didn't arrive through the
list as of now, I assume the message has been discarded by some
sender-not-on-list policy or so)
Here's something that I have been wondering about for quite some time now.
I'm administering a low-volume mail server with about 30 users. (short
details: users receive between like 1 message per year and (max.) around
50/day; all use TUM, osb tokenizer, and MySQL backend).
When looking through the logs, I see various delivery attempts to
addresses which have never existed on the system, so these attempts
clearly must be SPAM. (I suppose some address harvester went postal at
some point in time). At the moment we're simply rejecting these, but I
was wondering if they might be useful as an inoculation source.
I went through the README again and again (especially the groups
description). The feature that comes closest to what I want is probably
the inoculation groups, but global/merged seem somewhat suitable as
well... Anyway, here are my questions:
- I do not want all users to inoculate each other (because one user's
spam is another's ham, as the saying goes). Instead, i would want only
the "definitely spam"-addresses to "inoculate" all users.
- by their nature, these addresses receive exclusively spam. So every
token present at all for them would have x spam and 0 ham hits.
- Assuming that there's some way to get the above to work, what would
the implications be? Users behave differently (some meticulously
retrain, some simply accept all mails -- including SPAM -- without ever
retraining)... Thus the simplest case to consider is probably a user
which is newly added and thus has no statistics of his own at all.
Wouldn't there be a strong tendency for false positives in this case? If
so, what is a better approach?
If anyone can shed some light on this, I'd be very grateful. I also
apologize if this has been asked before (didn't find anything) -- in
this case, just point me to some further reading :-)
Thanks in advance & cheers
Chris
PS: It may well be that the idea itself is counterproductive. I'm also
using the ClamAV unofficial sigs, but only a small subset ("scam" and
serious threats only, and only those with a low FP rate). I deliberately
did not include the "normal SPAM" parts, because I want people to see
for themselves that training works, and is the better alternative in the
long run. Am I wrong? ;-)
------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook
in minutes. BlackBerry App World™ now supports Android™ Apps
for the BlackBerry® PlayBook™. Discover just how easy and simple
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Dspam-user mailing list
Dspam-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-user
