Hello Darin, Tuesday, June 6, 2006, 7:49:37 PM, you wrote:
<snip/> > This also got me thinking of the flip side, spam reporting. There's a > significant untapped load of spam that sniffer doesn't fail that we filter. > I was thinking about creating a filter to copy your spam@ address with > messages that get moved to our archive (we archive held spam for 30 days in > case we missed an FP) that did not fail Sniffer. This would be after we > have already processed for FPs. That would be a bad idea, sorry. After 30 days (heck, after 2) spam is usually long-since filtered, or dead. As a result, looking at 30 day old spam would have a cost, but little benefit. What we do use from time to time are virtual spamtraps. In a virtual spamtrap scenario, you can submit spam that reached a very high (very low false positive) score but did not fail SNF. Generally this is done by copying the message to a pop3 account that can be polled by our bots. We treat this kind of submission as if it were a usertrap, so we are very careful about what to code. The advantage to this methodology is that the detection of new spam is timely. Also, since we code rules speculatively for entire campaigns and message structures, SNF will often end up capturing instances of the campaign that did not score highly enough on other tests to get into the trap, and also preemptively captures future versions of the campaign that are not yet seen. All that said, the biggest benefit of this kind of synthetic spamtrap is that if you now see something before we do, we will see it and code for it faster. Our ultimate goal over the next few years is to to have the delay between detection and active filtering be measured in seconds. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>