RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Just a thought. We would have to test it but do you think the same thing could be achieved using: IPREPUTATION-3 SNFIPREP x -3 0 -5 IPREPUTATION-2 SNFIPREP x -2 0 -5 IPREPUTATION-1 SNFIPREP x -1 0 -5 IPREPUTATION-0SNFIPREP x 0 5 -5 IPREPUTATION+1SNFIPREP x 1 5 -5 IPREPUTATION+2SNFIPREP x 2 5 -5 IPREPUTATION+3 SNFIPREP x 3 5 -5 This way the further an IP is on the scale the greater the credit or additional score. This would have to wait till we implement the - negative for the BASEPOINT. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 4:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Hi Dave, Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the config file, you would have could cover the reputation range from -1 to +1 in 0.1 step increments. Not elegant - but would have the same effect as multiplying the reputation range with the defined max weight. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 05, 2010 12:12 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Just a thought. We would have to test it but do you think the same thing could be achieved using: IPREPUTATION-3 SNFIPREP x -3 0 -5 IPREPUTATION-2 SNFIPREP x -2 0 -5 IPREPUTATION-1 SNFIPREP x -1 0 -5 IPREPUTATION-0SNFIPREP x 0 5 -5 IPREPUTATION+1SNFIPREP x 1 5 -5 IPREPUTATION+2SNFIPREP x 2 5 -5 IPREPUTATION+3 SNFIPREP x 3 5 -5 This way the further an IP is on the scale the greater the credit or additional score. This would have to wait till we implement the - negative for the BASEPOINT. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 4:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
On 5/5/2010 1:30 PM, Andy Schmidt wrote: Hi Dave, Hm yes,I think if you added 21 lines (from -10 to 0 and to +10) to the config file, you would have could cover the reputation range from -1 to +1 in 0.1 step increments. Not elegant but would have the same effect as multiplying the reputation range with the defined max weight. I hate to muddy the waters further -- but we solved this problem once when developing the envelope management bit of GBUdb. It might be complicated to explain, but suppose you define the slope at a given point for each line you specify and then have the resulting weight be a linear transform (as was discussed before). Then you would need only two entries by default... One that describes full-scale + and another that defines full scale -. If you find the need to alter the slope then you can add additional points in between. The math works by drawing a straight line from 0 to the next defined point, and from that point to the extreme, and so on. Personally I think it is overkill -- but if you're going to talk about making many many lines for this then the multi-point curve interpolation is the way to go. In practice the best way _seems_ to be to provide only two slopes -- one positive going, one negative going -- and to establish a weight based on those slopes. Theoretically that could be defined on a single Declude test definition line. Is there some constraint that I don't know about causing folks to consider more complexity? Hope this is helpful, _M -- President MicroNeil Research Corporation www.microneil.com ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Yes, Declude already has TWO weights associated with SNFIPREP (one for positive, one for negative). Just as you said, but multiplying with the positive or negative weight, as need be, one would get two linear slopes from the center point. On top of that, Dave has a basepoint option that can shift the center point left or right. So - it's 99% there. It just needs to prorate the +/- weights (= multiplying) rather than use them absolute values. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Wednesday, May 05, 2010 3:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme On 5/5/2010 1:30 PM, Andy Schmidt wrote: Hi Dave, Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the config file, you would have could cover the reputation range from -1 to +1 in 0.1 step increments. Not elegant - but would have the same effect as multiplying the reputation range with the defined max weight. I hate to muddy the waters further -- but we solved this problem once when developing the envelope management bit of GBUdb. It might be complicated to explain, but suppose you define the slope at a given point for each line you specify and then have the resulting weight be a linear transform (as was discussed before). Then you would need only two entries by default... One that describes full-scale + and another that defines full scale -. If you find the need to alter the slope then you can add additional points in between. The math works by drawing a straight line from 0 to the next defined point, and from that point to the extreme, and so on. Personally I think it is overkill -- but if you're going to talk about making many many lines for this then the multi-point curve interpolation is the way to go. In practice the best way _seems_ to be to provide only two slopes -- one positive going, one negative going -- and to establish a weight based on those slopes. Theoretically that could be defined on a single Declude test definition line. Is there some constraint that I don't know about causing folks to consider more complexity? Hope this is helpful, _M -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
