Kai Schaetzl wrote:
Robert Fitzpatrick wrote on Fri, 17 Aug 2007 08:56:33 -0400:
Well, like I said, we had big problems using anything in Botnet except
nordns.
That's why everything except the main BOTNET is set to 0 I guess ;-) You
have to check for yourself if it fits or not. I just enabled a few (using
a score of 1.) and lowered the main BOTNET score from 5.0 to 2.0. I think
5 is much too high as a default, this should be changed. Or maybe it's
deliberate, so people don't just drop the files on their system without
reading botnet.txt and botnet.variants.txt :-)
It's deliberately a 5.0 because the purpose is to flag all such messages
for human review/quarantine (and there's a small assumption there that
no rational human being is trashing or rejecting messages at a score in
the range of 5 to 6, or even 5 to 10). Botnet isn't so much saying
"This message is SPAM!!!", as it is saying "This message requires human
review".
Over the last 9 months, my observation has been that, on a million-ish
message per day system:
1) aprox. 1% of Botnet marked messages are false positives
2) you can reduce false positives from Botnet by 66% by just dropping
the score to 4.99, because the vast majority of false positives are
scoring in the range 5 <= score < 5.01
3) you can eliminate the false positives entirely by setting the score
to 4.0, because all of the false positives we've come across were in the
range 5.0 <= score < 6 (actually, smaller than 6, but definitely 6 works
there).
And, anecdotally, while I'm going to keep using the 5.0 score at home,
at work the campus email teem has decided to lower it to 4.0 for now (as
soon as our change management process approves the change), and possibly
adjust it back up toward 4.9 or 4.99 if that's letting through too many
low scoring spam messages. (my suggestion was 4.99 and further adjust
downward as necessary, but the group decided to go to 4.0 now and adjust
back up if necessary)
