I would appreciate it if someone could post a sample config using the individual rules and not just the one rule for message sniffer. Seems like we should update our setup to use the individual message sniffer rules. We are very pleased with our results but every little bit helps.
Also, I guess the triggered update still does not work with Smartermail? Thanks, John -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 12, 2006 11:43 AM To: Message Sniffer Community Subject: [sniffer] Re: Stock spam Hello Herb, Tuesday, December 12, 2006, 12:32:09 PM, you wrote: > We were seeing lots of unmarked pump and dump stock spam a week or so > ago but now almost non is getting thru. Sniffer is catching most of it > and some other declude and rbl tests are as well. It's interesting to see such mixed results posted. It makes me wonder what the differences are between the systems reporting high catch rates (which we also see, once a campaign has been analyzed) and low catch rates. Also -- are the poor catch rates reported on text based stock-push spams or image based? Text based stock-push leakage is not likely because we generally catch these very fast and there are a range of rules in place to capture new campaigns even before we've seen them - so if you have this kind of leakage and it persists then start looking for problems with your system (errors, rulebase updates working, etc...) Image based stock-push is a problem, as is all image spam, but we do generally get these handled pretty fast. If you haven't already - recognize that since about mid September the black hats have significantly shifted toward image spam, have increased their volumes by between 4x and 20x (depending on who you talk to), and have increased the rate at which new campaigns are launched by at least 5x. If you are seeing image spam leakage check your weighting system (if you have one) and be sure that SNF rule groups 60 and 61 are rated highly enough to hold a message on their own. Previously we had always advised that SNF plus at least one other test should be required to hold a message simply for philosophical reasons: no single test should hold a message in order to improve accuracy. Unfortunately the recent changes in blackhat behavior are such that SNF is often the only test to fire on image spams so it has become necessary to abandon that tactic in order to minimize leakage. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>