Print Page | Close Window

False Negatives - What to do

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6376
Printed Date: 14 March 2025 at 7:16pm


Topic: False Negatives - What to do
Posted By: jerbo128
Subject: False Negatives - What to do
Date Posted: 30 January 2008 at 9:08pm
We have an unfiltered address setup where users send headers of messages that they received that were spam.
 
I have about 10 "regulars" who do this consistantly.  It is not uncommon to recieve 10 or more reports with headers per day per user.  I manually sift through these to block by IP and domain name, but I feel that I am not getting ahead.
 
I would love to see some method to "recycle" false negatives back to show spamfilter that it was a bad boy.  I know this has been brought up many times.
 
I know that the issue always seemed to stall around the "storage of good emails"....while waiting for users to declare them bad.  Has any progress been made here?
 
Anyone else - please chime in here.  Getting Frustrated.
 How do you handle these false positives? 
 What does anyone suggest for getting ahead of the curve?
 
Thanks
 
Jeremy


Replies:
Posted By: __M__
Date Posted: 31 January 2008 at 4:21pm
Jeremy, we do the same thing and also don't seem to make much of a difference by analyzing the spam that does get through. I too have thought that it would be nice to forward spam back into SFI for analysis.
 
Mike

Posted By: jerbo128
Date Posted: 02 February 2008 at 10:53pm
Hotmail seems to be the biggest offender.  And of course, we can't blacklist the domain or it's ips.
 
What does anyone do specific to hotmail?
 
Jeremy

Posted By: StevenJohns
Date Posted: 06 February 2008 at 5:01am
Jeremy,
 
This may not be possible for your setup, but we forward all good email from SF over to our SpamAssassin server and then onto the acutal mail server. We have disabled all the dns lookup stuff on SpamAssassin and have just enabled the other non-network based filters
 
Doing it this way means that a user can forward the body of the email to the SpamAssassin server which will re-learn it as spam.
 
We have found that about 10% of the emails that get through SF are indeed spam. Using a second filter such as SpamAssassin effectively blocks these few rouge emails and also gives the user a sense that they are helping to fight spam.
 
Steve.
 

Posted By: pcmatt
Date Posted: 07 February 2008 at 3:51pm

We wrote a vb application that reads in the reported headers/message from the reporting email account (customers use freeware spamsource to report); performs and documents all whois lookups, DNS, hostnames, SPF, MAPS results and other tests; saves everything in an Access database; then utilizes logic developed over the years since 2002 to decide if a new block entry should be added to emailfrom, IP and keyword block lists.   Allows us to review and make changes to the batch if desired, then automatically adds the new entries to our blocklist files.  Right now just writes new text files to be copied to the SpamFilter servers.  Will be updated to write to database when we upgrade to SpamFilter Enterprise.

We've thought about selling this technology.  Probably would need to be a source code license so people could modify the logic as desired.  Saves us about 20 hours of labor a week.  Not sure if this is what you need?


-------------
-Matt R

Posted By: jerbo128
Date Posted: 07 February 2008 at 4:18pm
Our problem is that anything we do must be simple and web server based.  Most of our customers are those whom we cannot install additional software on their pc's or They are the customers of an ISP.  Either way, simple must be it or they will not do it.  It's like pulling teeth to get them to check the quarantine when they are missing a message.
 
I am imagining a scenerio where the message is kept for say 3 days.  A column is added titled spam.  Just like the deliver column.  When the Spam field is changed from 0 to 1, that indicates to the SFE service that this message should be reprocessed as spam.
 
Thoughts anyone?
 
Jeremy

Posted By: Desperado
Date Posted: 07 February 2008 at 4:48pm
Here is our quick and simple solution ... I call my uncle Guido and have him "explain it" to the Spammers! ... Just kidding but I wish I weren't!

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: StevenJohns
Date Posted: 07 February 2008 at 5:35pm
Jeremy,
 
I understand your issue, but it's much more complex than that. Unfortunately one man's spam is another man's ham.
If user A descides that a marketing email from an insurance company is spam, should their IP be blocked for everyone?? What then happens when you get insurance brokers as clients??
 
The only way to deal with this is to have per user filters, but this gets very complex then.
 
 

Posted By: jerbo128
Date Posted: 07 February 2008 at 5:40pm
I understand that one man's spam is another's ham. 
 
My thought - If the filter is "reviewing" the message, and reports to the SFDC or SFDB, filter administrators can still determine at what level a message is spam.  Just as those filters are designed to do.  Odds are, if 10 different servers have reported it as spam, it probably is.
 
I am not saying to reinvent the wheel, just to allow a bit more reporting to the SFDC or SFDB, especially when the filter missed it in the first place.


Print Page | Close Window