This was answered off list... (parallel comments below) On Wednesday, March 8, 2006, 2:33:20 PM, Support wrote:
STI> I also have got a lot of false positives with code 063 which are HOLD now. STI> Ik know it's not very nice to set email on HOLD when failing sniffer but STI> I've got a major problem with spam and until a few days ago this was going STI> well, at least a few false positives in a week. STI> 03/07/2006 20:12:44.628 qdb2402d000003b56.smd Msg failed SNIFFER (Message STI> failed SNIFFER: 63.). Action=HOLD. STI> l6l0ow6m 20060307191244 Ddb2402d000003b56.smd 31 31 STI> Match 672578 63 142 176 65 STI> l6l0ow6m 20060307191244 Ddb2402d000003b56.smd 31 31 STI> Final 672578 63 0 2819 65 STI> Could this please stop, sniffer was pretty reliable for us, but not at the STI> moment. The above rule was not created by the F001 bot. So far only 24 of 50,000 rules created by F001 have caused false positive cases. Most of those were caused by exposure to gmail proxy which has since been made invisible to the bot. F001 FP rates are dropping significantly and there are measures in place to see that this trend continues aggressively. We need to give F001 more time. All F001 rules are coded in group 63 where other IP rules are coded so you can reduce the weighting and response of your system to this group if it is causing issues - and then, hopefully, increase the weight again once you see an acceptable risk for FPs (it can never be zero in any filtering system). If needed, the entire group can be masked out of a specific rulebase, but that is an aggressive move. It is far preferable and more flexible to adjust weighting and/or responses to result code 63 locally. Hope this helps, _M PS: I'm considering enhancements to the F001 bot that will reduce the rate of growth by ensuring a higher repeat rate before installing a rule. This has an up side and a down side. The up side is that rules will be added more slowly and that they will immediately have a larger effect. The down side is that the benefit of the rule will be lost for a period of time to allow for the additional repeats, thus allowing more leakage. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
