Hi, Thanks.
I will treat result code 63 with a "combo" filter so that any parallel hit with a regular RBL won't end up counting twice. That should take care of it. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, February 24, 2006 03:38 PM To: Andy Schmidt Subject: Re: [sniffer] IP Blacklist rules On Friday, February 24, 2006, 2:56:02 PM, Andy wrote: AS> Hi, AS> I'm realizing that some Sniffer rules amount to nothing more than IP AS> blacklists. AS> received:~+[nnn\.nnn\.nnn\.nnn] AS> AS> Are all "sender IP" rules properly grouped so that I can identify AS> and ignore them by return code. I already use IP blacklists (and AS> other means) to "cross check" Sniffer and add to my "confidence" AS> value before a mail is finally blocked. AS> I can't afford Sniffer to effectively "double up" those sender-IP tests. AS> Ideally, Sniffer should perform content checking. Please review the result code explanations here: http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html IP rules are coded to symbol 63. The voting system on each SNF node sees rules with lower symbol values as "more fit", so the only time you will see a result code of 63 is when no other rule matches that message. You may want to reconsider ignoring this result code - there is added value. When an IP rule is in the SNF rulebase, it indicates that: * The rule is from a message that reached our spamtraps. * Additional algorithms were used to classify the IP as a spam source. * The source has been consistently and recently active and detected at our user's system. Inactive IP rules are "forgotten" after a short period. * There have been no false positives reported against the rule. We remove IP rules on the first FP case and place the rule in a "problematic" rule group so that it cannot be reinstated without a strict review. * No other rules in our system are currently identifying the associated message content. Though we do focus on content, it is clear that in some cases an IP is the most efficient indicator. Since most other blacklisting services focus on a broad spectrum of IPs, there is bound to be overlap between them and also with SNF IP rules. However the fact that the IP shows up in our system does carry some unique information about that IP (see above). We explicitly do not aggregate IP rules from other lists. We recognize that other IP black lists are used in spam filters along with SNF and we encourage that as well as the use of other tests. (Even though SNF encapsulates diversity in it's algorithms and continues to expand this diversity, the best filtering systems will always use as many useful mechanisms as possible.) Additionally, as we move forward, IP rules in the SNF ruelbase will be gathered by unique, sophisticated mechanisms such as wavefront detection and cross-feature source correlation, etc. As a result, IP rules found in the SNF rulebase will increasingly represent some unique characteristics not found in other IP lists. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
