LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   We have an unfiltered address setup where users send headers of messages that they received that were spam.

I have about 10 "regulars" who do this consistantly.  It is not uncommon to recieve 10 or more reports with headers per day per user.  I manually sift through these to block by IP and domain name, but I feel that I am not getting ahead.

I would love to see some method to "recycle" false negatives back to show spamfilter that it was a bad boy.  I know this has been brought up many times.

I know that the issue always seemed to stall around the "storage of good emails"....while waiting for users to declare them bad.  Has any progress been made here?

Anyone else - please chime in here.  Getting Frustrated.
 How do you handle these false positives? 
 What does anyone suggest for getting ahead of the curve?

Thanks

Jeremy

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Topic: False Negatives - What to do Posted: 30 January 2008 at 9:08pm
	We have an unfiltered address setup where users send headers of messages that they received that were spam. I have about 10 "regulars" who do this consistantly. It is not uncommon to recieve 10 or more reports with headers per day per user. I manually sift through these to block by IP and domain name, but I feel that I am not getting ahead. I would love to see some method to "recycle" false negatives back to show spamfilter that it was a bad boy. I know this has been brought up many times. I know that the issue always seemed to stall around the "storage of good emails"....while waiting for users to declare them bad. Has any progress been made here? Anyone else - please chime in here. Getting Frustrated. How do you handle these false positives? What does anyone suggest for getting ahead of the curve? Thanks Jeremy

__M__ Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 30 August 2006 Location: Australia Status: Offline Points: 75	Post Options Post Reply Quote __M__ Report Post Thanks(0) Quote Reply Posted: 31 January 2008 at 4:21pm
	Jeremy, we do the same thing and also don't seem to make much of a difference by analyzing the spam that does get through. I too have thought that it would be nice to forward spam back into SFI for analysis. Mike

jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Posted: 02 February 2008 at 10:53pm
	Hotmail seems to be the biggest offender. And of course, we can't blacklist the domain or it's ips. What does anyone do specific to hotmail? Jeremy

StevenJohns Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 03 August 2006 Status: Offline Points: 119	Post Options Post Reply Quote StevenJohns Report Post Thanks(0) Quote Reply Posted: 06 February 2008 at 5:01am
	Jeremy, This may not be possible for your setup, but we forward all good email from SF over to our SpamAssassin server and then onto the acutal mail server. We have disabled all the dns lookup stuff on SpamAssassin and have just enabled the other non-network based filters Doing it this way means that a user can forward the body of the email to the SpamAssassin server which will re-learn it as spam. We have found that about 10% of the emails that get through SF are indeed spam. Using a second filter such as SpamAssassin effectively blocks these few rouge emails and also gives the user a sense that they are helping to fight spam. Steve.

pcmatt Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 15 February 2005 Location: United States Status: Offline Points: 116	Post Options Post Reply Quote pcmatt Report Post Thanks(0) Quote Reply Posted: 07 February 2008 at 3:51pm
	We wrote a vb application that reads in the reported headers/message from the reporting email account (customers use freeware spamsource to report); performs and documents all whois lookups, DNS, hostnames, SPF, MAPS results and other tests; saves everything in an Access database; then utilizes logic developed over the years since 2002 to decide if a new block entry should be added to emailfrom, IP and keyword block lists. Allows us to review and make changes to the batch if desired, then automatically adds the new entries to our blocklist files. Right now just writes new text files to be copied to the SpamFilter servers. Will be updated to write to database when we upgrade to SpamFilter Enterprise. We've thought about selling this technology. Probably would need to be a source code license so people could modify the logic as desired. Saves us about 20 hours of labor a week. Not sure if this is what you need?
	-Matt R

jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Posted: 07 February 2008 at 4:18pm
	Our problem is that anything we do must be simple and web server based. Most of our customers are those whom we cannot install additional software on their pc's or They are the customers of an ISP. Either way, simple must be it or they will not do it. It's like pulling teeth to get them to check the quarantine when they are missing a message. I am imagining a scenerio where the message is kept for say 3 days. A column is added titled spam. Just like the deliver column. When the Spam field is changed from 0 to 1, that indicates to the SFE service that this message should be reprocessed as spam. Thoughts anyone? Jeremy

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 07 February 2008 at 4:48pm
	Here is our quick and simple solution ... I call my uncle Guido and have him "explain it" to the Spammers! ... Just kidding but I wish I weren't!
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

StevenJohns Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 03 August 2006 Status: Offline Points: 119	Post Options Post Reply Quote StevenJohns Report Post Thanks(0) Quote Reply Posted: 07 February 2008 at 5:35pm
	Jeremy, I understand your issue, but it's much more complex than that. Unfortunately one man's spam is another man's ham. If user A descides that a marketing email from an insurance company is spam, should their IP be blocked for everyone?? What then happens when you get insurance brokers as clients?? The only way to deal with this is to have per user filters, but this gets very complex then.

jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Posted: 07 February 2008 at 5:40pm
	I understand that one man's spam is another's ham. My thought - If the filter is "reviewing" the message, and reports to the SFDC or SFDB, filter administrators can still determine at what level a message is spam. Just as those filters are designed to do. Odds are, if 10 different servers have reported it as spam, it probably is. I am not saying to reinvent the wheel, just to allow a bit more reporting to the SFDC or SFDB, especially when the filter missed it in the first place.

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

False Negatives - What to do