Hello Andy, Thursday, December 28, 2006, 10:34:15 AM, you wrote:
> Hi, > This morning I had to file to false positive reports because emails from > Wanadoo.FR and UOL.COM.BR were triggering "SNIFFER-IP". > I don't know if this is a coincidence or if this is a worrisome new trend <snip/> Our IP rule coding policies have not changed in quite some time and the false positive rates for IP rules have dropped significantly since the last change. IP rules are now coded only by a specialized bot which has very strict rules and looks only at clean spamtraps for recurring abuse. > 20061228150347 16 0 Match 799799 63 1 48 75 > 20061228150347 16 0 Final 799799 63 0 1744 75 The above rule had been in place for 346 days without any false positive reports. The rule was coded by the previous robot and at the time was verified by 3 additional blacklists. > 20061228110558 15 16 Match 1235160 63 1 46 73 > 20061228110558 15 16 Final 1235160 63 0 2980 73 This was coded by the new bot (F001) approximately 28 days ago - no prior false positives. IP rules are currently coded by the F001 bot based on direct, repeated observations at clean spamtraps. IP rules are excluded on the first false positive report so that they cannot be reactivated without direct human intervention. It is not practical for us to keep tabs on, nor deeply research every possible IP that may be used by any large (or otherwise) ISP. Instead we have the above policy and very strict observational rules to prevent the addition of IPs that are likely to produce significant legitimate traffic and to quickly and permanently remove IPs that cause false positives. (some exceptions, of course, apply). It is inevitable that there will be a nonzero error rate - but that error rate is demonstrably small given our current process, and we are constantly researching and developing techniques to improve on that rate. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>