Hello Sniffer Folks,
I thought I would drop you a note to let you know some things we're
doing behind the scenes to improve filtering accuracy and prevent false
positives.
Unqualified false positive candidates:
In partnership with our larger customers we have created a new system to
proactively review captured messages that _might_ be unreported false
positives (usually they are spam, but some aren't). Through this review
process we are able to remove and modify pattern rules that cause
occasional low-level false positives that would otherwise not be
reported. This system is already allowing us to recode or remove dozens
of rules per day to make them more accurate; and to update our rule
coding practices and support systems to further improve our accuracy
moving forward.
Real-time rule / IP conflict analysis:
Today we have completed a new false-positive early-warning system. This
system monitors conflicts between IP reputations and pattern rule
matches across the entire fleet of Message Sniffer installations in
real-time. Any time a pattern match is in disagreement with a source
IP's reputation that information is analyzed and pumped through a
sophisticated collection of filters and data-mining tools. The resulting
analysis is displayed in real-time in our spam-weather center so that
our staff can respond immediately (24x365) if there is any sign of a
"bad rule".
Since we launched this new system and operating protocols earlier today
we have already had several "events" -- All of them turned out to be
valid anti-spam rules capturing content from bot nets that had
previously sent *berserkers to improve their IP reputations, or where
some of the campaigns in question had leaked sufficiently to produce
temporary positive IP reputations on some systems. This information
itself is very interesting now that we can see it more clearly and we
are already working on ways to identify these cases and reduce the
leakage associated with them.
As always your comments, ideas, and suggestions are both welcome and
encouraged.
Best,
_M
PS: *berserkers - Blackhats sometimes send messages that are random
and/or carry no payload. These "berserkers", sometimes sent by accident
by broken bots or broken spam scripts, have the effect of improving the
IP reputations of the systems that send them because there is no
sufficient content to filter against. In addition these messages are
often sent at such low rates that most adaptive filtering systems fail
to respond to them--- if those systems were to be (conventionally)
sensitized to the berserkers they would also significantly increase
their false-positive rates.
We call these berserkers based on the practice of old Norse warriors
who, in an uncontrollable state (chaotic, berserk (in a fit of madness),
and with the belief they are immune to weapons), would charge directly
into the enemies ranks fearlessly attacking anything and everything
(friend or foe).
http://en.wikipedia.org/wiki/Berserker
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <[email protected]>
To switch to the DIGEST mode, E-mail to <[email protected]>
To switch to the INDEX mode, E-mail to <[email protected]>
Send administrative queries to <[email protected]>
