Re: Uptick in false negatives - filter check?
On 11/7/2013 6:00 PM, Owen Mehegan wrote: Thanks in advance for any advice anyone can offer! fwiw, of the 4 spam examples, ivmURI had blacklisted one or more domains in ALL 4 out of 4 samples at least several minutes BEFORE those spams hit your server (some days or weeks before). In a large portion of those (1/2 or more), I'm fairly sure that ivmURI was the ONLY URI/domain blacklist to have the domain blacklisted at the time the message hit your network. (I'm unable to verify if DBL had caught it at that time and/or some of those could have been a game of inches where ivmURI and other lists had just listed it moments before and it would be somewhat of a propagation issue... but, overall, I think if I provided the date/times that these were blacklisted on ivmURI... that assertion would check out and the raw data would be rather impressive!) If you keep seeing these, check the domains on multirbl.valli.org ...and you'll see in real time what I'm talking about! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Uptick in false negatives - filter check?
Posted this to the wrong/no list (via Nabble) yesterday... I've seen an uptick in false negatives lately, and the spam that is getting through is all the same stuff repeatedly. If anyone would be willing to run these samples through their filters and let me know if they get better hits, I would appreciate it. There are three at http://nerdnetworks.org/spam/ I'm using SA 3.3.1, with Bayes, etc. I also have greylisting on my system with a 15 minute delay, and surprisingly the first sample in this group now hits a bunch of RBLs and scores 5, but apparently the 15 minute delay wasn't enough time for that to help me. I've also been training my Bayes DB on these types of messages for a few days, but they still keep getting through. I used to hear that if your Bayes DB gets too big it can become ineffective. I don't know if that's true or not, but here's my '--dump magic' output: 0.000 0 3 0 non-token data: bayes db version 0.000 0 62157 0 non-token data: nspam 0.000 0 176680 0 non-token data: nham 0.000 0 144331 0 non-token data: ntokens 0.000 0 1383022790 0 non-token data: oldest atime 0.000 0 1383770853 0 non-token data: newest atime 0.000 0 1383766433 0 non-token data: last journal sync atime 0.000 0 1383685115 0 non-token data: last expiry atime 0.000 0 662551 0 non-token data: last expire atime delta 0.000 0 19902 0 non-token data: last expire reduction count Looking at my spamd log, out of 1300 messages classified as spam, 566 hit BAYES_9* and 391 hit BAYES_5*. Thanks in advance for any advice anyone can offer! -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Uptick in false negatives - filter check?
Owen Mehegan wrote: Posted this to the wrong/no list (via Nabble) yesterday... I've seen an uptick in false negatives lately, and the spam that is getting through is all the same stuff repeatedly. If anyone would be willing to run these samples through their filters and let me know if they get better hits, I would appreciate it. There are three at http://nerdnetworks.org/spam/ (spam4.txt is inaccessible) I notice URIBL_BLOCKED hits; check that you're either using your own resolver with less than 100K messages/day, or that you're properly set up for datafeed. Or just disable the uribl.com rules. (We found that while they were usefully increasing our overall catch rate, the increase was not worth the cost of the datafeed [it came out to somewhere between one and five dollars a spam for the ones that the uribl.com hit was key in getting the message tagged], so we disabled the rules.) Beyond that I've started creating very simple rules targeting the Subject and From: name in this type of spam, along with extracting the relay IP and URIs for local DNSBLs. It's moderately effective once I've confirmed enough volume for any given Subject or name to feel it's worth creating a rule... -kgd
Re: Uptick in false negatives - filter check?
Thanks for your response! My server is in EC2, and it appears that URIBL blanketly refuses requests from there. I set up a caching DNS server locally and tried routing my request through that, it was still rejected. Too many spammers using EC2 I guess. As for your other suggestion, isn't that the point of Bayesian filtering? I keep getting similar messages, training my bayes db on them, and then more get through. Kris Deugau [via SpamAssassin] ml-node+s1065346n107092...@n5.nabble.com wrote: Owen Mehegan wrote: Posted this to the wrong/no list (via Nabble) yesterday... I've seen an uptick in false negatives lately, and the spam that is getting through is all the same stuff repeatedly. If anyone would be willing to run these samples through their filters and let me know if they get better hits, I would appreciate it. There are three at http://nerdnetworks.org/spam/ (spam4.txt is inaccessible) I notice URIBL_BLOCKED hits; check that you're either using your own resolver with less than 100K messages/day, or that you're properly set up for datafeed. Or just disable the uribl.com rules. (We found that while they were usefully increasing our overall catch rate, the increase was not worth the cost of the datafeed [it came out to somewhere between one and five dollars a spam for the ones that the uribl.com hit was key in getting the message tagged], so we disabled the rules.) Beyond that I've started creating very simple rules targeting the Subject and From: name in this type of spam, along with extracting the relay IP and URIs for local DNSBLs. It's moderately effective once I've confirmed enough volume for any given Subject or name to feel it's worth creating a rule... -kgd ___ If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107092.html To unsubscribe from Uptick in false negatives - filter check?, visit http://spamassassin.1065346.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=107090code=b3dlbkBuZXJkbmV0d29ya3Mub3JnfDEwNzA5MHwyMDgxOTQ3Njg5 -- Sent from Kaiten Mail. Please excuse my brevity. -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107096.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Uptick in false negatives - filter check?
Oh, and I fixed spam4.txt to be accessible, sorry about that. -- Sent from Kaiten Mail. Please excuse my brevity. -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Uptick-in-false-negatives-filter-check-tp107090p107097.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
