On Thursday, December 2, 2004, 4:15:43 PM, Jim wrote: JM> Pete, JM> We have rules setup in declude based upon sniffer return codes 60 and 62 to JM> mark all messages with those tests as spam, however we do not have any 61 or JM> 62 return codes setup. Can you briefly explain what each of these groups JM> includes and a false positive rate for each.
The false positive rates for all of these rule groups have fallen dramatically over the past 8 months and at this point they are all comparable. Different systems see different rates, but all rates are low. Group 63 - Experimental Received [IP] - contains rules that match Receive headers by IP. These are now largely generated by robots which monitor inbound spamtrap and usertrap data and then test those sources. This group used to provide the second largest rate of false positives. The rate now is roughly the same as any other group. Group 62 - Obfuscation - contains rules built to detect obfuscation techniques. Internally this group breaks down into a number of sub-groups which detect unnecessary URL encoding, HEX encoding, and HTML obfuscation patterns. Group 61 - Experimental Abstract - contains rules that are designed to recognize data patterns and structures found in spam. For example errors in headers combined with message structures, misspellings, unusual uses for table and HTML structures or message segments, and other abstract patterns that result from the use of scripting engines to generate polymorphic spam. Note: Group 60 was Gray-Hosting many months ago. That group was retired and then reused. Now it is being renumbered again. Group 60 - General (Ungrouped) - contains many of the same kinds of rules found in other groups, but particularly those which cannot be accurately categorized there. For example, fake diploma spam. These rules are largely text segments, domains, URI/URL segments, and structures (much like those found in group 61). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html