[SC-Help] Spampal config (false positives)
geoff at nospam.gjctech.co.uk
Wed Feb 9 01:58:35 EST 2005
I've started a new thread because our converstation was getting
dangerously close to hijacking the other.
In the thread, "Spammers getting smarter", Mike Easter wrote:
> Without seeing the complete item, I can't say this with certainty;
> but I'm almost sure that item would've never been tagged by my SP
> configuration; unless your niece's IP is on some kind of spamsource
> or proxy/trojan list.
Must be -- she's on a dynamically allocated ISP netblock. IIRC, it was
SBL that trapped it.
> I think I am going to be critical of how you have your SP configured.
> It is tagging too much good mail.
> If there is goodmail and spam all mixed up somewhere, either tagged or
> untagged it doesn't matter, the filter hasn't done much of a job.
There is a mix of spam and ham. Due to the nature and quantity of spam
and ham I'm getting it's quite difficult to filter with complete
accuracy. I'm convinced that the way I have it configured results in the
smallest volume of one being mixed with the other -- my spambin contains
about 1% ham.
If I were to do it the other way, so that no ham was binned, a much
larger percentage of spam would end up being delivered to users. Now, if
I were the only user I could filter that in my MUA and the combined
filtering would give much better separation. However, I have to consider
other users on my network - and I would rather trap a few ham messages
than let some of the cr*p through to my wife and son.
In another message, Mike wrote:
> The reason 10 false positives is 'bad' is because they are 'buried' in
> a thousand spams, which 'buries' you back into those thousand
> 'things' to have to look at. A thousand messages a week to have to
> humanly look at 'carefully' because of goodmail getting in there;
> because you don't want to lose or report goodmail.
It's not as bad as you think. Firstly, I check the spambin every few
hours. Secondly, I'm looking at just the sender and subject headers in a
list on my server - not the entire messages. A subject munged to get by
keyword filters is obviously spam, as is something with a subject like
"Quality meds" or the name of certain pharmacuticals. So, I can select
and delete obvious spam (most times, that'll be the whole spambin). Any
that remain can be investigated further by checking the raw text. I
actually copy very few spam messages through to my MUA.
However, I now only report spam that gets through my filters and so false
positives in my spambin will not give rise to unwarranted reports.
More information about the SpamCop-Help