... am I also correct that the aforementioned "single-criterion/reject-at-the-envelope-level" solution *cannot* ever give me *any* measurable FP ratio?
Just to elaborate a bit (this gets back to our "Plea to developers of anti-spam software" at http://www.declude.com/plea.htm ). After going through the July false positives, some interesting things came up:
If we used a single-test rejection system with just 2 tests ("missing reverse DNS entry" and "invalid HELO/EHLO data"), which many hard-core anti-spammers would say will only catch E-mail that deserves to be blocked, we would have a false positive rate of over 15% (versus the multi-test ratio of .7%). That's over TWENTY legitimate E-mails rejected for every legitimate E-mail that we catch with our multi-test system.
This is, of course, a very simple comparison (add more tests, and it is guaranteed to get worse than 15% -- you can only get less than a 15% FP ratio by not using the REVDNS or HELO tests). Granted, those two tests would block a lot of spam -- 49.7%, to be exact (of all the spam we received in July, 2003). However, who would block more than 15% of their legitimate E-mail to catch less than 1/2 of their spam? Even the better of those two tests (REVDNS, catching 40.3% of spam) still catches 5.6% of our legitimate E-mail.
We don't have stats on the ACL test ("CABLE+DSL" as it is sometimes referred to), but it seems that it would catch about 5% to 10% of our legitimate E-mail (based on initial tests).
As a side note, the FIVETEN* tests (when running them all together as one test) catch over 10% of the legitimate E-mail here.
To end with a silly note, Declude JunkMail has a ROUTING test that detects over 30% of spam (it looks for poor Internet routing that is common to spam). After accounting for one person with 80 posts to the IMail forum that failed the ROUTING test, it would have a false positive ratio of just .3%. If we blocked all E-mail failing just the ROUTING test, we wouldn't receive any E-mail from one of the main supporters of the single test system. :) Even sillier, he would consider that a 0% FP ratio if he did not find some way to reach us to complain.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
