* This is the modus mailing list * At 10:32 AM 11/19/2003 -0500, you wrote: >* This is the modus mailing list * > >Hi, > >We've noticed that most false positives reported were in the following 2 >categories: > >1 - Industry specific emails (Daily Router reports, automated mailings from >a monitoring tool, mailing lists etc.). Whitelisting has been added to >Modus3 for exactly that kind of reality. They don't quite look like spam, >but they look even less like real emails. We'll most likely call it >"legitimate" where we're not too sure but sometimes the SCA engine will make >that a false positive.
Hi Michael, The above simply isn't true from what we have seen so far. We are seeing plain jane email messages getting stopped. These are email messages with no graphics, no font changing, no embedded attachments, no adult content, or pharmacy related, or enhancing ones body. Many lobbied for the "Whitelist" feature, and I can definitely see some positives coming from that feature. Problems with it: 1. Because the user whitelists a message, Vircom will never know that the message was a false positive to begin with. 2. One a false positive has been added to the users whitelist, s/he has no way of knowing if that entry still needs to be in his/her whitelist. Quite possible that the SCA engine corrected that issue, but the end-user will never know that, and thus an entry that could have been removed, will never get removed. 3. Let's do a little mathematics here. On a smaller M3 install - 1000 users, 200 white list entries = 200.000 entries in the access database the M3 is using to store this information. That means that M3 has to go down through 200,000 entries and find that users 200 entries for each email message. The more entries in this database, the longer it will take to do the search. As a side note - any reason why there wasn't an option to store this to SQL, rather than an Access database? 4. Over time, the 200 entries (the default out of the box setting in M3) will not be enough for many customers. Does one tell the user to delete some of their entries or give them more? ...if you give them more, how many more? ...and when they reach that limit, then what? Sure, I like the fact that the whitelisting is there, but it's not going to be used in a manner in which won't get out of control. A users is going to whitelist every single false positive they get, not thinking that it might not happen again from that particular person. Simply going down a very bad path in the long-term. The above are just a few things that come to mind. >2 - End-users just discovering they can paste smileys, nice little hearts, >flower pictures, change their fonts size and colors 5 times and underline >things in the their email. Or a single embedded picture. We don't have a >problem with people doing that (as long as I'm not the one receiving those >emails :-) but that kind of "Please pay attention to me" statement is >exactly what the spammers use and we recognize that. Again, the problem is >easily dealt with by whitelisting your girlfriend (for example) so that the >next "cheesy" email she sends out won't be caught by the SCA engine. > >Seriously though, we need the false positives to improve the engine (and we >always will). But some of the false positives we get simply can't be dealt >with on our side by changing the SCA engine, or else it would lead to an >important decrease in catch-rate (like example number 2 above). You will >need to whitelist (or have end users whitelist) the senders for now. > >I'm always available for comments. I can assure you that my customers will take 5 spams a day over a single false positive! The comments have already been made. They don't care that they can whitelist the message. They want to know why an email to them was stopped. Right now, I can't even give them a decent answer, as 90% of the spams being caught are in miscellaneous\normal. That's not very descriptive, and telling them it's the "SCA Engine", and not in our control isn't flying either. I realize this is all a balancing act' between stopping spam and not having false positives. It's not an easy job, and I for one definitely recognize this. What I am gathering from my own experience and what others are beginning to see, is that the false positives are too high. Even with having a whitelist feature, there are serious repercussions of having a high percentage of false positives. I already had one of our business clients state to me that they would go elsewhere if he even begins to see the number of false positives that he see's on his personal Hotmail account. They don't care that we have a whitelist feature. It takes time to either look at their report, or login into the web quarantine to look at what has been stopped that shouldn't. This is costing them time and money, and ultimately, this will cost me (my company) time and money. My 2 cents worth. Thanks for listening. Jim Craig TDE Internet >Regards, > >------------------------------------- >Micha�l Gaudette, P.Eng., M.B.A. >Product Manager >Vircom Inc. >[EMAIL PROTECTED] > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >Of Christian Schmit >Sent: Wednesday, November 19, 2003 10:10 AM >To: [EMAIL PROTECTED] >Subject: [Modus] false positives > > >* This is the modus mailing list * > > >Since using modus 3 our spam catch rate >has been fantastic but the number of false >positives has also increased. > >We have much more complaints now with false >positives from our customers in version 3 >than we had in version 2.1. > >I would be interested to know what other people >experience with ver 3 regarding false positives. > >Christian > > > > > > > >** >To unsubscribe, send an Email to: [EMAIL PROTECTED] >with the word "UNSUBSCRIBE" in the body or subject line. > > >** >To unsubscribe, send an Email to: [EMAIL PROTECTED] >with the word "UNSUBSCRIBE" in the body or subject line. ** To unsubscribe, send an Email to: [EMAIL PROTECTED] with the word "UNSUBSCRIBE" in the body or subject line.
