Hello Jonathan,
Wednesday, April 4, 2007, 10:41:19 AM, you wrote:
>
I do not think that anyone was asking the F001 bot to be disabled. Are you doing this for upgrading purposes or because there appeared to be an error with it? A single false positive as described, in my opinion, is no cause for alarm. Any time something changes, there is a potential for error, so please be careful in any attempts to implement suggestions from the community without evaluating all of the possibilities. Personally, I like the way the system is working. However, if it is possible to decrease FPs while maintaining the high level of accuracy in blocking spam, that is always welcome.
The F001 bot is facing a no-win scenario. It cannot be upgraded at this time, and even if that decision were to be reversed, there are problems with the whole concept of long-term blocking by IP of the type accomplished by F001:
* Increasingly, hacked systems are used to send spam through major ISPs and email systems (even with full authentication hijacked from the hacked bots) - so the source data for the F001 bot (clean spamtraps) is increasingly compromised. That is - even though real spam is being sent through systems like aol, gmail, etc, it is not acceptable to block those systems based on IP data -- that is, after all, why the blackhats are moving in this direction.
* IP data constantly changes without notice. More than half of the false positives levied against IP rules are due to older IPs that have been reassigned, or for systems that have since cleaned up their act, or for systems that for IPs that at one point generated spam and now do not. Though these are not generally caused by the F001 bot, they do point out that the IP space has become so dynamic that any kind of long-lived IP blocking will only be increasingly non-viable.
* The GBUdb engine will be coming on-line soon enough and it will replace the function of the F001 bot with a better, more dynamic system that follows the real-time activities of IP sources.
Since there is no short-term fix for the F001 bot, and since it's functions will continue to be compromised long term, and since even a low rate of false positives like these recent reports are clearly unacceptable. The best choice at this time is to remove the F001 bot from service.
The IP rules that are currently in place will remain active, and on occasion additional IP rules may be added through other mechanisms. The IP rule group should not appreciably degrade between now and full deployment of the GBUdb features in SNF - so the net result should be positive.
In the end, we (the entire SNF team) want to be responsive and proactive. Given the circumstances - disabling F001 appears to be the best choice.
If conditions change then we can always reactivate the device.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
