RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
My quick response. The out of the box Declude Customer CAN use the samples given. The extra scoring ensures that bad IP's are eliminated as spam. It would be the same as placing an extra high score on a specific test. Pete's notes suggest: 63 - Black Systems should usually quarantine or reject messages produced by this IP. 20 - Truncate Systems should usually refuse connections from this IP. Which means for the majority of our customers an exaggerated score on these message is fine (I will have to check on Monday but I don't believe it triples the score I think the max would be 2 tests based on the same information) Unfortunately a large portion of our customers today do not understand or even care about the details. The beauty of Declude is that you are welcome to score tests however you feel appropriate for your email server. I do agree with you that it could be made more clear, but to advise the list NOT to use the current declude settings is your opinion. What would be helpful is making a suggestion to what settings you use based on your results. David From: Andy Schmidt andy_schm...@hm-software.com Sent: Friday, April 30, 2010 9:26 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate Thanks Pete - that confirms what I feared. Declude's own sample should NOT be used as is because it duplicates the IP results (at minimum) The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. Yes - according to Dave's explanation earlier today, Declude will get a decimal number between -1 and +1. Their Sample/Default configuration treats 0 as normal, treats anything negative as GOOD (and subtracts 5 points) and anything positive as BAD (and adds 10 points). So - even though Sniffer returns information on a vary graduated scale, Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10% of the range - 90% of the range returns either -5 or 10. I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. Based on Dave's explanation, Caution, Black and Truncate would certainly always return a value 0. Consequently, 10 would ALWAYS be added to the weight for those 3 reputations. Their default example basically TRIPLES the 10 weight that is assigned in many cases (once for SNFIP, once for SNFIPREP, and once for SNF). Let's see if Dave's chips in - but it certainly seems to me that Declude's Sniffer sample/default config should NOT be used (because it doesn't do what an innocent user might expect). It's not at all clear that after all their Sniffer rules, 30 would be added to the weight in several cases. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREPx 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACKSNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate -- SUGGESTION
Hi Dave, Oh, I think it's not just an opinion. Specially the SNFIPREP sample seems to reduce the weight for 45% of all emails - when we all know what 98% are spam. But, let's look at the facts, and then you can correct me where I got them wrong so that either one of us can learn from their mistake. I don't believe it triples the score I think the max would be 2 tests based on the same information 1. A black or truncate will trigger a) The SNF test (either Truncate or IP Rules) b) The SNFIP test (either Truncate of Black) c) The SNFIPreputation test (because Truncate or Black will NOT have a Good or Neutral reputation) Is it therefore my believe that the score is tripled - or where am I thinking wrong? Now - this may actually a somewhat desirable outcome (because the mail will be blocked) - I do agree with you on that. But, it can result in undesirable outcome once customers attempt to slightly adjust the default settings without realizing that some tests are triplicated. What would be helpful is making a suggestion to what settings you use based on your results 2. Fair enough, my suggestion would obviously have to be to comment out the two redundant SNF rules and let SNFIP handle the IP scoring part - and increase those weights if you don't like to be just 10 (remember, if the content SNF tests find a match, THAT score will also be added!) SNFIPBLACK SNFIP x 5 20 0 SNFIPTRUNCATE SNFIP x 6 30 0 # SNFTRUNCATE SNF x 20 10 0 # SNIFFER-IP-RULES SNF x 63 10 0 This way, your users can SEE that the SNF options exist and how they would be coded, but would be realize that they have to research the implications first before removing the comment. 3. I suspect that the biggest problem is the SNFIPREP test - but I'm waiting for Pete to give some input. The way I understand your email from Thursday about your algorithm, it potentially assigns 10% of all emails a score of 0, it potentially assigns 45% of ALL emails a score of -5. And it adds a weight of 10 to the remaining 45% of all emails - which also seems rather arbitrary. (Disclaimer: What we don't know is the distribution curve, is it a bell curve, where the majority fall into the range of -0.05 to +0.05 and very few fall in the + or - side. Or is the distribution some logarithmic curve, that has very few on the good side, a moderate frequency in the middle and the increases sharply the further it gets on the bad side. Now, maybe you analyzed the distribution curve before you developed this sample? Until all these crucial questions are resolved (I wouldn't want to reduce the weight for a totally unknown percentage of all the spam!) I would comment it out for sure: # IPREPUTATION SNFIPREP x 0 10 -5 But, I have a really good suggestion on how to make this entire test more usable: The whole point of the reputation scale (between -1 and +1) is to allow Sniffer customers a graduated response - not just 2 values for 90% of the number scale. My suggestion would be to slightly enhance your formula by multiplying the reputation value with the assigned weight (after shifting it for the base score). THEN I think this test would be useful, because it would actually produce a sliding scale of weights based on the reputation scale. In other words: (( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or Neg]WeightFactor = Final Weight For this line: # IPREPUTATION SNFIPREP x 0 2 -1 it would results in weights between +20 and -10 - which is in line what the reputation scale was intended to provide: Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2 = 0 Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2 = 6 Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2 = 20 Reputation -0.3: ( ( 0.1 * 10 ) - 0 ) * -1 = -3 Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Saturday, May 01, 2010 10:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate My quick response. The out of the box Declude Customer CAN use the samples given. The extra scoring ensures that bad IP's are eliminated as spam. It would be the same as placing an extra high score on a specific test. Pete's notes suggest: 63 - Black Systems should usually quarantine or reject messages produced by this IP. 20 - Truncate Systems should usually refuse connections from this IP. Which means for the majority of our customers an exaggerated score on these message is fine (I will have to check on Monday but I don't believe it triples the score I think the max would be 2 tests based on the same information) Unfortunately a large portion of our customers today do not understand or even care about the details. The beauty of Declude
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATIONSNFIPREPx 0 10 -5 SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULESSNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP. There, any reputation 0 (up to 1) is given an extra weight of 10. But doesn't SNFIPREP report from the same reputation data as the SNFIP (and possibly even group result codes 20 and 63)? In other words, are those IP addresses that generate a reputation factor of 0 ALSO reported as Caution/Black or Truncate - if so, we'd now TRIPLE count that score. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATIONSNFIPREPx 0 10 -5 SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULESSNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the message -- because they can -- I don't know that they do, but I know that IP reputations can be queried before and separately from a scan. (Scans MUST happen in order for GBUdb to build up reputation data however). Finally the SNF test responds to the normal blended result codes that SNFClient would return. So result code 20 is Truncate- meaning that the IP reputation was so bad that SNF stopped the scan and returned the result code. Result code 63 is Black which could mean that an SNF IP rule fired (rare these days) or that no pattern matched but the IP was in the Black range in GBUdb so GBUdb took over and forced the result code from 0 (no pattern found) to 63 (Black). Other result codes are also possible: http://www.armresearch.com/support/articles/software/snfClient/resultCodes.jsp#msgScan David -- if I got any of this wrong please correct me. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? Yes -- if you have them configured that way. Some of the results are predictable. If SNFIP is Black or Caution then you are virutally guaranteed to get a Black or Caution result from SNF -- Unless SNF matches a pattern in which case you will get a pattern result code from the SNF test. If SNFIP is Truncate then SNF should also return Truncate. The weights you assign to these should be set accordingly. 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP. There, any reputation 0 (up to 1) is given an extra weight of 10. But doesn't SNFIPREP report from the same reputation data as the SNFIP (and possibly even group result codes 20 and 63)? In other words, are those IP addresses that generate a reputation factor of 0 ALSO reported as Caution/Black or Truncate - if so, we'd now TRIPLE count that score. That's not quite true... I presume the SNFIPREP test uses a sliding numeric value that combines the probability factor and the confidence factor for the IP. This is not the same thing as Caution, Black, and Truncate. The SNFIPREP result is a sliding value that will work even when the reputation is not in the (White) Caution, Black, and Truncate ranges. When an IP's reputation is in one of those ranges then the appropriate result from SNFIP will either be returned or not (On or Off). Now-- I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. I don't think that I would necessarily use all of these together -- though it is possible to do so. It seems to be that it might become very complicated since there is some overlap. That said -- I do think that some of these tests can be combined successfully without too much confusion... it's just a matter of knowing how they interact. Hopefully my description is helpful (and my assumptions are correct). Best, _M -- President MicroNeil Research Corporation
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
Thanks Pete - that confirms what I feared. Declude's own sample should NOT be used as is because it duplicates the IP results (at minimum) The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. Yes - according to Dave's explanation earlier today, Declude will get a decimal number between -1 and +1. Their Sample/Default configuration treats 0 as normal, treats anything negative as GOOD (and subtracts 5 points) and anything positive as BAD (and adds 10 points). So - even though Sniffer returns information on a vary graduated scale, Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10% of the range - 90% of the range returns either -5 or 10. I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. Based on Dave's explanation, Caution, Black and Truncate would certainly always return a value 0. Consequently, 10 would ALWAYS be added to the weight for those 3 reputations. Their default example basically TRIPLES the 10 weight that is assigned in many cases (once for SNFIP, once for SNFIPREP, and once for SNF). Let's see if Dave's chips in - but it certainly seems to me that Declude's Sniffer sample/default config should NOT be used (because it doesn't do what an innocent user might expect). It's not at all clear that after all their Sniffer rules, 30 would be added to the weight in several cases. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREPx 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACKSNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the message -- because they can -- I don't know that they do, but I know that IP reputations can be queried before and separately from a scan. (Scans MUST happen in order for GBUdb to build up reputation data however). Finally the SNF test responds to the normal blended result codes that SNFClient would return. So result code 20 is Truncate- meaning that the IP reputation was so bad that SNF stopped the scan and returned the result code. Result code 63 is Black which could mean that an SNF IP rule fired (rare these days) or that no pattern matched but the IP was in the Black range in GBUdb so GBUdb took over and forced the result code from 0 (no pattern found) to 63 (Black). Other result codes are also possible: http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp#msgScan David -- if I got any of this wrong please correct me. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? Yes -- if you have them configured that way. Some of the results
