From: "Matt Kettler" <[EMAIL PROTECTED]>
Theo Van Dinter wrote:
On Sun, Feb 19, 2006 at 02:20:05AM -0500, Matt Kettler wrote:
How can we keep the spam tagged, and try to mitigate the FPs by keeping
additive scores for multiple URIBLs more moderate? +20 worth of URIBL
hits is fine on spam, but astronomically high scores don't really help
SA when the tagging threshold is +5. However, they do hurt SA when
overlapping mistakes happen.
Yes.. which is exactly who I was primarily trying to reach by posting
here on the spamassassin, before this turned into a large
misunderstanding between the URIBL operators and myself.
I have two things related to this:
1- if the lists are indeed separate (ie: different sources, etc,)
then having multiple rules makes sense.
They're about 95% separate.. They're all separately maintained, and have
a lot of different approaches to making sure a listing is valid.
I don't think there's any direct cross-feeds where one spamtrap operator
feeds their trap data multiple lists.
However, there's some potential for duplicate input because of the
end-user-reporting.
This is a potential if a list will add a site on the basis of ONE
spam report. When it takes ten or twenty or more spam reports then
sites will get listed. Your Scotts example is an example of how a
large number of people would be likely to consider it to be spam
and complain. Upon receiving the complaints even a whois lookup to
confirm it was Scotts would not absolve the company for their spam
run. Their contest site did not ANYWHERE obvious say that you'd be
receiving promotional emailings from Scotts as well as contest data.
Thus Scotts DID spam. They got listed. Find a better example.
Take Joe user, who gets a message he considers spam. He runs
spamassassin -r on it, reporting the message to spamcop, and Razor (e8
is uri based, so relevant here. Pyzor, and DCC will also be reported,
but less relevant). The Spamcop report would require multiple reports,
but if it happens that feeds into SC and AB, which then re-check
theURIs. He then pulls out a few URIs, and manualy reports them to
URIBL. He then goes to rulesemporium.com and reports it to WS. If he's
got an outblaze account, he could also report to OB.
Average user is one of your customers. Do THEY run spamassassin -r?
...
That's why I'm suggesting we consider a base+offset approach to surbl.
It allows each list to be scored independently, but also allows the
perceptron to allocate scores that reflect the overlap.
You are suggesting something that may well be valid. What are your
testing results from the suggestion? YOU control the scores on your
site, in the final analysis. An /etc/mail/spamassassin/ZZZ_local.cf
will get parsed last and can override the BL scores. Feed it your
score suggestions and report the results.
"I think" is interesting.
"I tested it and got..." is vastly more compelling and interesting.
"I'm from Missouri, show me." And I have found that people do not have
to be from Missouri to feel "show me" rather than "it stands to reason"
or "it should work better" or "I think." The only time the latter seems
to win is when politics are involved.
related to this, I mentioned earlier in the thread about a bug I found
in the reuse section of mass-check while generating some statistics.
we used the reuse code to generate the 3.1 scores. however, due
to the bug, rule hits were lost. so it's hard to say exactly what
occured because of it, but the scores generated for network tests
(those that enabled reuse anyway) are almost definitely miscalculated,
and potentially very miscalculated (see the same previous post about
the "way different" SURBL WS rule hits that I found).
Yeah, that's bad.. What surprises me is the actual magnitude of the
results. My own experience is that WS and OB both have FP problems, but
they're on about the same level. URIBL_BLACK has at least 10x more FPs
than all the surbl hosted lists combined, including WS... But you guys
see less.
12 URIBL_BLACKB 8988 1.66 10.77 30.77 0.03
I begin to suspect that this indicates a vast dichotomy between a large
ISP experience, or at least your specific environment's experience, and
that of smaller machines. It MAY be that the type of folks you deal with
are sharing quite different interests from the folks who go for "roll your
own" or boutique ISPs. This is worth investigating. It may be that different
scoring regimes are required for the different customer bases. I would not
in the least be surprised if that is the case. I'd actually be surprised if
it is not the case.
We're trying to get updates going for 3.1, and I'm hoping to get scores
generated more frequently after that's setup. Perhaps the next set of
scores will address your issue more directly?
Possibly.
Is the problem more that in the past there weren't a large number of FPs and now there
are?
In the past FPs were rare and always confined to one list. In the past
6 months I've seen a dramatic increase in FPs from WS, OB and BLACK.
Vast increase.... From one in 100,000 to one in 1,000? That would be
dramatic and it would lead to a multiple list hit overlap issue, as well.
The overlap might be down in the one in 10,000 level. But with a million
mails a day to handle that's 100 complaints, more than any sane ISP would
enjoy handling.
At the moment you are focused on something you see as a sure cure. You might
be right. Only you are in the position to TEST your proposal. I don't see
anyone here rushing in to take the risk of it being wrong so that you can
point a finger when the idea backfires. (Hey, after 40 years in industry
a person learns about this trick and gets, perhaps, a little overly
cynical from repeated experience. {^_-})
You MIGHT also think out of the box. Are there other things that can be
done to mitigate the problem? I suspect there are. They'd require some tool
construction. If there is somebody on the list wanting some suggestions for
some perl hacking I can dredge my emails to Matt for some interesting tool
ideas. Some might directly help Jeff more than Matt while others would
benefit someone in Matt's shoes more than most other folks.
{^_^}
