[SpamCop.net - protecting the internet through technology]

[SC-Help] Spampal config (false positives)

Geoff Lane geoff at nospam.gjctech.co.uk
Wed Feb 9 01:58:35 EST 2005 

I've started a new thread because our converstation was getting 
dangerously close to hijacking the other.
--

In the thread, "Spammers getting smarter", Mike Easter wrote:

> Without seeing the complete item, I can't say this with certainty; 
> but I'm almost sure that item would've never been tagged by my SP 
> configuration;  unless your niece's IP is on some kind of spamsource
> or proxy/trojan list.
---
Must be -- she's on a dynamically allocated ISP netblock. IIRC, it was 
SBL that trapped it. 

> I think I am going to be critical of how you have your SP configured. 
> It is tagging too much good mail. 

> If there is goodmail and spam all mixed up somewhere, either tagged or 
> untagged it doesn't matter, the filter hasn't done much of a job. 
---
There is a mix of spam and ham. Due to the nature and quantity of spam 
and ham I'm getting it's quite difficult to filter with complete 
accuracy. I'm convinced that the way I have it configured results in the 
smallest volume of one being mixed with the other -- my spambin contains 
about 1% ham.

If I were to do it the other way, so that no ham was binned, a much 
larger percentage of spam would end up being delivered to users. Now, if 
I were the only user I could filter that in my MUA and the combined 
filtering would give much better separation. However, I have to consider 
other users on my network - and I would rather trap a few ham messages 
than let some of the cr*p through to my wife and son.

In another message, Mike wrote:

> The reason 10 false positives is 'bad' is because they are 'buried' in
> a thousand spams, which 'buries' you back into those thousand
> 'things' to have to look at.  A thousand messages a week to have to
> humanly look at 'carefully' because of goodmail getting in there; 
> because you don't want to lose or report goodmail. 
---
It's not as bad as you think. Firstly, I check the spambin every few 
hours. Secondly, I'm looking at just the sender and subject headers in a 
list on my server - not the entire messages. A subject munged to get by 
keyword filters is obviously spam, as is something with a subject like 
"Quality meds" or the name of certain pharmacuticals. So, I can select 
and delete obvious spam (most times, that'll be the whole spambin). Any 
that remain can be investigated further by checking the raw text. I 
actually copy very few spam messages through to my MUA.

However, I now only report spam that gets through my filters and so false 
positives in my spambin will not give rise to unwarranted reports.

-- 
Geoff Lane
Cornwall, UK

More information about the SpamCop-Help mailing list