Re: [sniffer] F001 Rule Bot Change
Thanks. -Nick Scott Fisher wrote: I'd say I get least FPs on: warez (50), av push (49), advertising (56), insurance (48), and gambling (59) Most FPs on general (60), experimental (61) and travel (47) - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Nick Hayer" Sent: Thursday, March 09, 2006 9:54 AM Subject: Re[2]: [sniffer] F001 Rule Bot Change On Thursday, March 9, 2006, 10:04:17 AM, Nick wrote: NH> Hi Pete, It's a bit too early to know about the reliability of F001. NH> Understood - sorry I was not clear on this :) NH> I was referring to all your tests eg: printers, snake oil, what NH> have you. which one do you have the most confidence in maybe get NH> the least false positive reports on? I don't have hard data on that right now. My impression is that we get the fewest FP reports on Porn/Adult and also on Malware. My impression is that we get the most on group 63 - I think mostly because of IP rules from old bots. I don't have any other strong impressions at this time. I have it on the list to upgrade the FP processing bot - I will be providing it with behaviors to keep running statistics on rule locations at the time of report and other contextual data. This is not a high priority task - so it will be a while. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] F001 Rule Bot Change
I'd say I get least FPs on: warez (50), av push (49), advertising (56), insurance (48), and gambling (59) Most FPs on general (60), experimental (61) and travel (47) - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Nick Hayer" Sent: Thursday, March 09, 2006 9:54 AM Subject: Re[2]: [sniffer] F001 Rule Bot Change On Thursday, March 9, 2006, 10:04:17 AM, Nick wrote: NH> Hi Pete, It's a bit too early to know about the reliability of F001. NH> Understood - sorry I was not clear on this :) NH> I was referring to all your tests eg: printers, snake oil, what NH> have you. which one do you have the most confidence in maybe get NH> the least false positive reports on? I don't have hard data on that right now. My impression is that we get the fewest FP reports on Porn/Adult and also on Malware. My impression is that we get the most on group 63 - I think mostly because of IP rules from old bots. I don't have any other strong impressions at this time. I have it on the list to upgrade the FP processing bot - I will be providing it with behaviors to keep running statistics on rule locations at the time of report and other contextual data. This is not a high priority task - so it will be a while. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] F001 Rule Bot Change
On Thursday, March 9, 2006, 10:04:17 AM, Nick wrote: NH> Hi Pete, >>It's a bit too early to know about the reliability of F001. >> NH> Understood - sorry I was not clear on this :) NH> I was referring to all your tests eg: printers, snake oil, what NH> have you. which one do you have the most confidence in maybe get NH> the least false positive reports on? I don't have hard data on that right now. My impression is that we get the fewest FP reports on Porn/Adult and also on Malware. My impression is that we get the most on group 63 - I think mostly because of IP rules from old bots. I don't have any other strong impressions at this time. I have it on the list to upgrade the FP processing bot - I will be providing it with behaviors to keep running statistics on rule locations at the time of report and other contextual data. This is not a high priority task - so it will be a while. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Hi Pete, It's a bit too early to know about the reliability of F001. Understood - sorry I was not clear on this :) I was referring to all your tests eg: printers, snake oil, what have you. which one do you have the most confidence in maybe get the least false positive reports on? -Nick This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] F001 Rule Bot Change
On Thursday, March 9, 2006, 8:48:43 AM, Nick wrote: NH> Hi Pete - NH> Pete McNeil wrote: >>Hello Sniffer Folks, >> >> The F001 Rule Bot has been adjusted. >> NH> Is it possible for you to recommend a percentage of accuracy or maybe NH> better stated a percentage of delete weight for each rule? I am NH> wondering which rules you feel are the weakest and which are the NH> strongest. I am well aware 'mileage may vary' but just your thoughts on NH> reliability would be insightful. Currently the rules I trust the most NH> are at 90% of my hold weight which overall is less than 50% of my delete NH> weight. Rules that I trust the least like general and experimental are NH> at ~ 40% of my hold weight. It's a bit too early to know about the reliability of F001. So far the number of false positives has fallen quite sharply and continues to fall from what I can see. In addition, the new constraints on F001 will cause it to be much more reliable still (w/ regard to FPs). I would say that the most conservative weight for symbol 63 would be to weight it at the same weight as your average IP based blacklist. A more moderate position might have the lowest rated SNF tests at about 70% of your hold weight (this seems to be fairly common). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Hi Pete - Pete McNeil wrote: Hello Sniffer Folks, The F001 Rule Bot has been adjusted. Is it possible for you to recommend a percentage of accuracy or maybe better stated a percentage of delete weight for each rule? I am wondering which rules you feel are the weakest and which are the strongest. I am well aware 'mileage may vary' but just your thoughts on reliability would be insightful. Currently the rules I trust the most are at 90% of my hold weight which overall is less than 50% of my delete weight. Rules that I trust the least like general and experimental are at ~ 40% of my hold weight. Thanks! -Nick This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] F001 Rule Bot Change
Good job, Pete. Through these changes we saw a minimal increase in false positives on one day, and detection seems to have improved as well. Darin. - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: Sent: Thursday, March 09, 2006 3:08 AM Subject: [sniffer] F001 Rule Bot Change Hello Sniffer Folks, The F001 Rule Bot has been adjusted. The number of repeat offenses required for an IP to be listed has been increased. It's important to note also: Messages that are filtered out by other rules are excluded from this evaluation. Consequently, for an IP to be added to the F001 bot rules it must not only be seen quite a few times, but it must also be generating messages that are not filtered using other active rules. As part of this adjustment we removed approximately 2 IP rules that had shown either weak or no activity since they were created. This may cause rulebase file sizes to change noticeably. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] F001 Rule Bot Change
Hello Sniffer Folks, The F001 Rule Bot has been adjusted. The number of repeat offenses required for an IP to be listed has been increased. It's important to note also: Messages that are filtered out by other rules are excluded from this evaluation. Consequently, for an IP to be added to the F001 bot rules it must not only be seen quite a few times, but it must also be generating messages that are not filtered using other active rules. As part of this adjustment we removed approximately 2 IP rules that had shown either weak or no activity since they were created. This may cause rulebase file sizes to change noticeably. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html