Home   Help Search Groups Login Register  
You are not logged in. To get the full experience of these forums, we recommend you log in or register
Plusnet Usergroup » All Users - The Open Forum » Plusnet Network and Technical Issues » Training spam filter - any point?
Pages: [1] 2 3 ... 16
  Print  
Author Topic: Training spam filter - any point?  (Read 130028 times)
jelv1

Posts: 2130

« on: May 30, 2007, 08:44:54 am »

Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I've seen a post somewhere that says equal numbers of spam and notspam emails are being fed in to the training. I could understand that if the number of false positives was similar to the number of missed spams, but it is not, the number of missed spams far exceeds the number of false positives. So shouldn't more missed spams be fed in until it balances out.

And before someone responds to say that was what was done before when it suddenly started marking nearly everything as spam, I understand that that was down to it being fed a large number of unvetted emails in one chunk - not just because of the number.

jelv
MauriceB
Administrator

Posts: 4356

« Reply #1 on: May 30, 2007, 11:49:34 am »

I've got the same concern John.  Keep feeding the SPAMCHECKER but still they arrive!  Some weeks ago it was 1 - 2 per day, but it is steadily rising - 6 today angry

False spam is very low - last I had was many weeks ago tongue

IMAP folder getting between 10 and 20 per day.

Maurice
godsell4

Posts: 397

« Reply #2 on: May 30, 2007, 12:35:31 pm »


Have you taken a look at the e-mail headers to see how many of the SPAM messages you get have been identified as coming via a known open relay ... as described on the PN portal here?

SW.

BBYW1/10GB
spraxyt
Usergroup Member

Posts: 3003

« Reply #3 on: May 30, 2007, 12:54:03 pm »

I share the concern too.  I've forwarded many missed spam messages since the deluge started but detection does not appear to be improving.  One yesterday came from an open relay on the spamcop blacklist.  I was surprised this wasn't marked.

x-open-relay: 122.167.72.27 is in a black list at bl.spamcop.net

The spammers seem to be putting the "message" as the subject, with more "innocent" words and a link in the message body.  Do the filters give equal weight to the subject line?

I've often wondered how messages forwarded for filter training are processed - is this described anywhere?

David
simonflood

Posts: 88

« Reply #4 on: May 30, 2007, 01:21:41 pm »

Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I was wondering the same thing myself as I've been busy forwarding spam messages from 6 PlusNet mailboxes (I'm managing my Mother-in-Law's account in addition to my own).

As I currently understand messages need to be forwarded with full headers in-line in order to be effective.  Forwarding spam messages as attachments is no good.  This is a pity as reporting spam via Webmail is a real PITA (hence my earlier suggestion of Spam/Not Spam buttons).

Perhaps someone from PlusNet can clarify the following with regards to the spam reporting processs?

  • Does it matter which e-mail address is used to report spam? (ie. what happens if an alias on an external domain forwards to a PlusNet mailbox)
  • Does it have to be a PlusNet e-mail address (ie. something@username.plus.com) that is used to report spam?
  • Does it have to be sent from the same mailbox that received it? (ie. could postmaster report all spam for a set of mailboxes?)

If it's possible for non-PlusNet e-mail addresses to forward spam messages to spam@despamchecker.plus.com presumably non-PlusNet e-mail addresses are blocked from sending to notspam@despamchecker.plus.com (to stop spammers attempting to get their spams classed as non-spam)?  If not, perhaps PlusNet want to close this loophole ASAP!  However I'd rather any e-mail address can send to spam@despamchecker.plus.com as it's the sole address in my webmail address book in case spammers gain access again!!

Simon
simonflood

Posts: 88

« Reply #5 on: May 30, 2007, 03:12:26 pm »

Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I was wondering the same thing myself as I've been busy forwarding spam messages from 6 PlusNet mailboxes (I'm managing my Mother-in-Law's account in addition to my own).

It seems that there is a point to forwarding e-mails as I've just checked the mailboxes I own/look after and whilst they've all received spam overnight all the spam messages were correctly tagged as [-SPAM-] and moved into the Spam folder! smiley

Simon
bpullen
Plusnet Staff

Posts: 1980


WWW
« Reply #6 on: May 30, 2007, 03:26:21 pm »

Hi guys,

I can definitely double check to ensure housekeeping are on top of the training however whilst I'm here it may be useful if I provide further details regarding how the spam filter is trained...

There is an automatic training system which runs every night on all of the mxcore servers. This system relies on a cron job on the mailops server.

This script has only one purpose, it moves emails from the imap folders for spam and notspam, under the account despamchecker, into a network share held on the NAS.

This share has two folders, clean and spam. A script, which is held on each of the mxcore servers, picks up the emails held in these folders, and passes them through dspamc with the options specific to the folders definition. For instance, emails held in the clean folder are treated as innocent emails.

It forks into two processes, one which trains spam emails, while the other trains clean. The script is run on the servers in a staggered way, each server launching the process 15 minutes after the server numerically number one less that its self; i.e. sunmxcore01 starts at 01:00 while sunmxcore02 starts at 01:15.

The IMAP folders used by the automatic training system are populated by our housekeeping team.

This person will...

  • Setup an IMAP client to access the despamchecker mailboxes.
  • In the despamchecker+spam mailbox check the headers off all mails, and a sample of the actual mails.
  • Once happy that the mails in the despamchecker+spam account are spams move a maximum of 400 over to the Spam IMAP folder under the despamchecker account.
  • In the despamchecker+notspam mailbox check the headers off all mails, and a sample of the actual mails.
  • Once happy that the mails in the despamchecker+notspam account are not spams move a maximum of 400 over to the notspam IMAP folder under the despamchecker account.
  • Now check that the Spam and notspam folders under the despamchecker account have the same number of emails pending.
  • Clean out the spam+despamchecker and notspam+despamchecker accounts.
  • Any emails both in SPAM and NOTSPAM folders which are above 10K can be safely deleted. DSPAM uses text to train itself and attachments or large emails are no use for training.
.

We've also been using the odd honeypot address here and there following the recent spam problems as mentioned here.

jelv1

Posts: 2130

« Reply #7 on: May 30, 2007, 04:09:53 pm »

I can't see where you notify people that their submissions are not in the correct format. I presume you wouldn't want users wasting their time submitting either spam or notspam on a regular basis if they were all being ditched!

jelv
poppy

Posts: 142

« Reply #8 on: May 30, 2007, 05:21:49 pm »

Not sure if I am doing things right - when I receive a message that is not marked I forward it to despamchecker by a tick in the box and clicking forward i.e. without actually opening the e-mail. Is this correct or should the e-mail be opened and forwarded from within that?

Force 9
Joined 03 June 2004
jelv1

Posts: 2130

« Reply #9 on: May 30, 2007, 06:39:22 pm »

I think you are probably doing the wrong thing as I don't think that will include all the headers - but it will depend on what you are using to do this.

jelv
poppy

Posts: 142

« Reply #10 on: May 30, 2007, 08:47:56 pm »

Thank you for the reply. I am forwarding them from within webmail. I would like to know the correct procedure as there is no point in forwarding to despam if it is wrong.

Force 9
Joined 03 June 2004
jelv1

Posts: 2130

« Reply #11 on: May 30, 2007, 08:56:50 pm »

AIUI you need to:

1. Select View Full Header from the options when you have the message open.
2. Then copy everything that that gives.
3. Now go back to View Message.
4. Select Forward (not forward as attachment)
5. Delete the header lines at the top of the email down as far as the line under the To:
6. Paste the full header you saved in step 2 to the top of the email.

Simple isn't it (not!).

jelv
poppy

Posts: 142

« Reply #12 on: May 31, 2007, 07:01:23 am »

Doesn't sound simple to me! Any comment from staff?

Force 9
Joined 03 June 2004
ianwild

Posts: 3979


Not to be confused with Mike, Wildmind.

WWW
« Reply #13 on: May 31, 2007, 08:48:32 am »

I agree it could be simpler, and we'd welcome suggestions for making it so.

As it is, with a Webmail client (When we have locked down what we want) a "Report Spam" button will be a must have. From people's own email software though, there is only so much we can do as we need to see and verify the emails before we train the spam filter.

Ian

Regards,

Ian Wild
PlusNet Support
poppy

Posts: 142

« Reply #14 on: May 31, 2007, 10:38:25 am »

Thanks for the reply Ian.  Just to clarify (the idiot's guide), is it OK just to open the e-mail and click 'Forward' then add the despamchecker address? Will this do the job?  I have an aversion to actually opening them and that is why I was putting a tick in the box and clicking 'Forward' but I suspect that this is no good.

Force 9
Joined 03 June 2004
Pages: [1] 2 3 ... 16
  Print  
 
Jump to: