Re: High scoring false positives

Sat, 20 Jan 2007 16:31:37 -0800 

"Alexis Manning" <[EMAIL PROTECTED]> writes:

> [Apologies if this is received more than once - apache.org doesn't like my
> local mailserver!]
>
> Does anyone have any data on high-scoring false positives?  Currently I 
> have my required score set to 7.5.
>
> Under 7.5 gets delivered normally.  Anything between 7.5 and 15 gets put 
> into a folder that I will glance at... eventually.  Anything over 15 
> gets dumped into a folder which I never look at, and only keep to handle 
> any complaints that mail was sent and never replied to.
>
> I've caught a couple of false positives just over 7.5.  Do people think 
> that 15 is a reasonable cut off point to discard emails, which is 
> basically what I'm doing?  What's the highest-scoring false positive 
> that people have run across?
>
> Thanks,

I have not seen "high score" (10+) false positives for long time but I
remember (1 year+ ago) cases of
* RCF-Ignorant list discussion about domain listed by 
  "spamvertized domains" DNSBL (it received 20+ score)
* "Newsletter" send as consequence of my subscription to free 
  "mailbox forward" service

IMHO *automatic* "discarding" is a Bad Idea (TM).

The procedure you suggest would require "temporary reconfiguration"
after every spamassassin upgrade as a precaution against unforeseen
"changes in behavior".

I personally recommend:
* using a few DNSRBL to reject most spam in SMTP session (70%+)
  * it reduces amount of work left for more "horsepower hungry" methods
    such as spamassassin 
  * in case of false positive makes the sender know and sender can
    switch to non email ways of communication
* inspecting personally all messages "classified" as spam and reporting
  "human confirmed spam" using "spamassassin -r" to DCC/Pyzor/Razor2 and
  spamcop.net 
  * you can use spamcup or http://anfi.homeunix.net/perl/spamcop-ack.pl
    to automate sending LARTs using spamcop.net

I do believe that spammers *should* get "special reward" for passing
anti-spam defenses :-)

-- 
[pl>en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]
Home site: http://anfi.homeunix.net/

Reply via email to