Hi Pete,
You're exactly right, but we often get spoiled by
the high quality of your detection rate. It's easy to expect perfection
when it means less work for us <g>.
Thanks for all you do to keep the quality so
high.
Darin. ----- Original Message -----
From: Pete McNeil
Sent: Tuesday, October 17, 2006 8:42 AM
Subject: [sniffer] Re: Significant increase in false
positives Hello Computer, Monday, October 16, 2006, 11:09:03 PM, you wrote:
This was not a bad-rule alert or rule-panic situation. Most of these messages were probably NOT false positives. The rule does have a higher rate than is acceptable (so it was dropped), but it doesn't catch every message with an image, and it does catch primarily image spam. If I felt strongly about researching this there would be 7200 to look through (not 35000) and I would probably only look through those that failed no other tests or were below some very low weight threshold otherwise - that would probably bring the number down into a range < 100 messages (based on what I've seen reported). [ Educated guess items: > 80% of content is usually spam. On weekends this number is higher. This weekend there were some new, aggressive image spam campaigns - so the number of spam captured by a rule like this would be higher than normal rather than lower. The rule was essentially in place only during the weekend and only received FP reports late Sun through early Mon and some systems have reported no discernable increase in false positives during this period. 20% of 7200 is close to 150, so the conservative number likely not to be spam in that group is less than that (due to the weekend) so approximately 100 seems reasonable. If there are FPs then it is likely they failed no other tests. ] Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> |
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Matt
- [sniffer] Re: Significant increase in false positiv... Computer House Support
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Matt
- [sniffer] Re: Significant increase in false positiv... Colbeck, Andrew
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Darin Cox
- [sniffer] Re: Significant increase in false positiv... Pete McNeil
- [sniffer] Re: Significant increase in false positiv... Computer House Support
- [sniffer] Re: Significant increase in false positiv... Greg Evanitsky
- [sniffer] Re: Significant increase in false positiv... Darin Cox