next »

[mikeb]

OK then, this is the first of the shiny new go-faster graphs and it shows total spam volume on A/Cs and mboxes split into that arriving via postini and non-postini servers. It might look quite similar to previous graphs but be very careful if trying to make comparisons between the old and new graphs. It's the same old data of course just reprocessed and presented slightly differently and the old/new graphs obviously have a similar shape/trend but the only thing that is entirely consistent between them is the grand total for ALL A/Cs and mboxes which isn't actually shown on the graph. The individual curves are produced from differing combinations of raw data. 

It should also be noted that the type or style of spam being received on certain A/Cs and mboxes tends to be somewhat different and therefore the two curves are not directly comparable. For instance, the non-postini curve consists almost exclusively of spam targeted at webmail compromised addresses whereas the postini curve consists primarily of random spam but does also include a fair amount of targeted spam as well. However, once again, shapes and trends will tend to correlate but comparing absolute figures is unwise.

The "dotted" section of the postini curve is the rather lengthy transition period during which some data was coming via postini but varying amounts weren't due to DNS update and other PN problems. Spam before this period was received exclusively via the PN servers and spam after this period was received exclusively via postini servers.

What can clearly be seen is that as I said last week, spam volumes appeared to be generally falling quite significantly from the Xmas(ish) peak and this was not exclusively down to postini action. I would guess this is due primarily to RBL updates as I doubt there were sufficient reports and updates being made around and particularly during the Xmas break to keep on top of the inevitable rising volume expected at this time of year.

The general reduction in spam being received via postini is also quite clear and significant but has not, however, come without problems. The level of False Positives (100% genuine mail classified as spam) and False Negatives (100% spam not being classified as spam) is some (considerable) way from the targets/SLAs, especially False Positives of course. There are also apparent problems with some 100% genuine mail being lost or otherwise going AWOL when sent via the postini servers but not when sent via the PN servers - presumably because it's being dumped or rejected on receipt due to being erroneously classified as spam.  The False Positive situation was plenty bad enough initially but recent PN changes to reduce False Negatives have obviously resulted in a significant increase in False Positives.

I have a few other graphs on the go but they don't show anything particular interesting or reliable at the mo and the data hasn't really settled down sufficiently to warrant showing them because they would be somewhat misleading. If/when they start showing something of value then they will appear along with the volume graph.  If anyone has any suggestions of anything in particular that might be worthy of monitoring then shout and I'll see what I can do ... but no promises, it depends on how much time it will consume to produce the stats from the raw data or message contents and whether the end result is meaningful

[northbritish]

Thanks for keeping the graphs going Mike.  I find it interesting to see the results of your spam monitoring.

[quaint1]

I fully agree with Northbritish.  Thanks veyr much Mike.

[jelv1]

As DSPAM will shortly be dead - so should this topic!

In my previous post above I linked to the Postini topic which is where I would suggest the posts following that post should be moved.

[northbritish]

I can see your point, but it also indicates the difference between the old and new anti-spam systems so could be viewed as a natural conclusion to this thread.  I'll defer to MikeB on this as they're his graphs.  If Mike wants the last one moved into the Postini thread I'll do the necessary, otherwise I'll leave it.

[mikeb]

Well, DSPAM may well soon bite the dust but I would suggest that whilst this thread might have been originally concerned with "what's the point of training DSPAM" it is perhaps equally valid and more than likely appropriate and necessary for "what's the point in training [insert any anti-spam system you like here]" ! Something tells me that in several weeks/months time the very same customer issues previously seen with DSPAM will be apparent with postini: reports are regularly being made regarding false negatives/positives but there doesn't appear to be any progress being made in tagging or not tagging similar messages several days/weeks later. OK, hopefully not to the same extent but I'd still put my money on somewhat less that swift action (if any) by postini to resolve specific PN customer reports of apparent problems with the detection

My graphs didn't really belong in here either TBH. They were only posted initially to demonstrate that some of the issues customers were reporting were actually not really to do with DSPAM at all but were more likely down to natural variation in incoming spam volume. After that it just seemed sensible to post various updates in the same place and also to add criticalpath stats when appropriate because the thread specifically intended for critical path trial discussion was buried in the back of beyond and important stuff was getting missed.

I don't particularly care where they go so if peeps want recent posts moved and subsequent posts made in an alternative existing thread then that's just fine by me. There are of course 2 postini threads running so there are two choices ! I'm also tempted to suggest that perhaps a better option is to have a separate thread for performance monitoring and showing stats various rather than having interesting/useful information possibly getting lost in a sea of general discussion.  Of course, my stats other than spam volume will most likely be 100% related to postini and none of them ever did relate to DSPAM at all. It was always unfiltered data as all optional filtering was disabled. It's now going to be postini .vs. plusnet on spam volume and postini performance indicators various if/when any of my other monitoring starts to look interesting and meaningful.

So the options appear to be:

(1) Maintain this thread for discussion of performance and training of spam filters various. 

(2) Merge all existing postini threads into one and keep all discussion relevant to postini in there regardless of what particular aspect is being discussed.

(3) Create a new thread for postini performance stats various so they can be found or referenced easily.

I think my preference is for (3) but like I said, I don't feel that strongly about where the info goes TBH just so long as it's readily available to anyone who may be vaguely interested in it.

Can we come up with a consensus of opinion before next Sunday without adding a further 'n' pages I wonder ... Hmmmm, maybe we should just leave a passing Mod to make an executive decision

[spraxyt]

Mike,

Thanks for comments and suggestions - decision made, suggestion 3 it is.

I agree, moving the new graphs to their own thread makes it easier to find them and for new readers to pick up the story.

For reference similar trend plots prior to Postini introduction can be found under Training spam filter - any point?

David

[mikeb]

Thanks for shifting the posts to a new thread and here is the spam volume graph for this week. Nice to see a decreasing trend still although I wouldn't be in any way convinced that it will continue for very long !

I think that it's also worth publishing the second of my new graphs this week as well. This shows the postini spam detection rate for the A/Cs and mailboxes being monitored.  All mail (excepting occasional PN mailings to one particular old mailbox) is spam, no other genuine mail is ever received.  The graph is clearly showing that despite the overly aggressive nature of postini and the recent PN changes to tag messages with any triggered category filter (regardless of the actual category score ) as spam, the detection rate is still significantly lower than the SLA of 98%.

As some of you will no doubt already know, I've been having plenty of problems with false positives and highly suspicious missing mail. I have various genuine messages being sent to a test A/C via postini as well as also being sent to my main PN non-postini A/C.  What I'm seeing is there are a few messages failing to arrive at the postini A/C and a very significant quantity of genuine mail is being identified as spam by postini. All these generally speaking regular messages are from a variety of reputable organisations and UK companies who I've been receiving messages from, at my specific request, for a good many years without problems.

Whilst I cannot be 100% definite that postini is refusing some messages, the probability of this being the case is significantly higher than the probability of several senders not sending messages to one A/C but sending them to another A/C. Based on my limited tests and ignoring PN forum and other messages which are globally whitelisted, I would estimate that by far the vast majority of my mail would be erroneously identified as spam if I had postini on my main A/C, however, my biggest concern is the huge potential for lost important mail of course.  The recent PN changes to make use of the category filters without actually taking the relevant category score into account has made the problem very much worse of course.

I can't see a particularly fair way of presenting stats for false positives at the moment because the data is only from a test A/C receiving a limited number of messages and generally from senders more likely to be problematic. However, what does seem quite clear is that postini has big issues with just about any message from a forum, mailing list or any other genuine commercial organisation communicating with it's customers. The Please Post Evidence Of Postini False Positives Thread on the PN forum contains much evidence from various customers and many different totally legitimate senders. I've also seen comments from other customers suggesting that they have several 10's of false positives (not sure about the time frame but <1 month presumably) and others who are definitely experiencing postini rejecting mail for no good reason. So there is absolutely no shortage of evidence that mail is going AWOL and that the postini algorithms are somewhat flawed and very aggressive but despite this, the detection rate still isn't up to the required standard. The postini SLA for false positives is apparently 0.0003% but I (and way more than a few other customers) are seeing performance several orders of magnitude worse than that.

Other people may well consider that the obvious 'solution' is whitelisting but I personally don't see that as any kind of real solution at all. It's not fixing the serious problem of flawed detection algorithms but is simply hiding the problem. In much the same way as filtering spam isn't solving the spam problem at all but just hiding it mind you It's also leaving the door wide open for Mr.Spammer to abuse the system of course.  Whitelisting has it's uses but should only be used in exceptional circumstances IMHO and most certainly not by default. It simply should not be necessary for all customers to have to whitelist vast numbers of totally genuine and reputable organisations just to get postini to deliver messages. Also, it may not actually prevent mail from being rejected and in any case it's a bit difficult to whitelist a sender if you can't receive any messages from them in the first place ! 

No one (with any competence) would be suggesting that customers need to poke holes in a firewall willy-nilly so why suggest they do the same with an anti-spam system ? Mr.Spammer already targets info, webmaster, sales and admin etc at random domains so it wont be long before he starts the 'guess the very obvious whitelist entries' game to supplement that. Or simply send everything out as a "PN Newsletter" and/or allegedly from eBay.com so it will come flooding through to everyone's inbox courtesy of the whitelisted addresses. Whitelisting may be a necessary (very) short term fudge but it's by no means a long-term solution, the fundamental problem needs addressing and fixing.  Unfortunately, I see no real evidence that the problem is being taken seriously never mind being addressed and fixed by postini, just way too many comments that all will be just fine if/when the whitelisting functionality appears.  I don't think that's good news

I'm also monitoring spam scoring on a few regular(ish) and inherently very similar messages so here's a quicky preview:

I'm not sure that it will show anything particularly interesting in the long term but it does show the variability in scoring so far which in some (most) cases is not very explainable. I was sort of expecting to see some correlation between score changes in the various messages but there is none that I can see at the mo.

[MauriceB]

Thanks for the detailed graphs and explanations Mike.  This is just the sort of data that PN aught to be taking note of!  From the style and detail you present, I guess that you can replicate and 'prove' many of the assertions.  'Prove' in this context is a suitably vague concept 

The thread on Community certainly has a fair number of coherent replies to the 'false positives' and other odd 'mishaps' - might it be worth collating several of the better examples into a solid case to present to PN? 

I'm optimistic that the Postini solution will eventually produce a better SPAM product than the old system - but we (Users and PN) need to collaborate to ensure that these niggles get sorted quickly before they clog the fan

Maurice

[jelv1]

Mike,

The Postini server we are using is in America. Can you see any evidence from your monitoring that UK based senders are more likely to be problematical than US based ones (e.g. ebay.co.uk given lower scores than ebay.com)?

[mikeb]

I have archives of (just about) every genuine message sent/received since sometime in early 1997 and (just about) every spam received since 13th May 2007 so yes, the raw data behind the graphs is still lurking somewhere in the darkest corner of my system.  Hmmm, I think I feel a backup coming on at this point before the famous last words along the lines of "I haven't lost any data in donkey's years" develops a rather embarrassing hollow ring and becomes something more like "unfortunately,  I hadn't done a backup in donkey's years ... ooops, b*gger and all that"
  

A selection of false positives have been reported to date as have possible missing mails but they're somewhat more difficult to prove of course without being able to obtain a bounce of some sort from the sender. I think it's pretty fair to say that with a few notable exceptions (yahoo groups digests in particular), most messages have what appears to be an unreasonably low spam score and just about all messages have the PN "spam 'n'" header.  I've also seen a number of genuine messages with the (in)famous "2strike" header meaning that postini would have preferred to reject the message but on this one occasion hasn't - although subsequent messages may well have be rejected if similar messages were received for some undefined period of time after the one that got tagged.

However, I do think that it's really important to stress once again that virtually all the messages received on my test A/C are of the kind most likely to be problematic but that it does reflect the type of messages I regularly receive on my main A/C. I also accept that my e-mail use may well be more than a bit unusual when compared to most customers. Specifically, I tend to insist (wherever possible) that messages are plain text not html and I don't tend to receive "idle chit-chat" stylee personal e-mails either. It's primarily 'machine generated' stuff: forum or message board related stuff, newsletters and mailing lists plus various commercial mailings such as order confirmations, invoices, dispatch notifications, special offers etc. I'm quite sure that all goes a very long way towards explaining why I always seem to suffer problems whenever any attempts are being made to reduce spam. The various earlier PN attempts to reduce spam internally resulted in significantly more problems than postini and the last criticalpath trial significantly less problems (and better overall performance) than postini.

I really do think you have a good point Mr.Jelv (differing treatment of US or international organisations .vs. UK based organisations) and that's one of several reasons why I was pretty annoyed that PN insisted on suppressing the postini headers in messages from globally whiteslisted senders. It totally removes all evidence of how bad the problem is with certain known 'problem' senders and prevents any analysis.  As you say, comparing the scoring of ebay.com messages relative to ebay.co.uk and PN forum messages relative to other forums or PN/BT marketing messages relative to other US/UK organisations might well provide some very interesting and very useful data. I'm very disappointed that this still hasn't been sorted and get the feeling that the "severe embarrassment factor" is preventing action rather than there being any particularly good reason for why it didn't happen as announced.

Despite having no evidence whatsoever, I would strongly suspect that the likelihood of a very significant number of reputable US based organisations having their messages being routinely considered as spam is relatively low whereas it appears that quite a few primarily UK organisations are suffering with poor scoring for no apparent good reason.  Maybe that would simply be down to the fact that postini is used to regularly seeing messages from a whole host of US based organisations but not the UK equivalents so to speak. But then again, maybe the rampant litigation culture in the US plays a significant part in the focusing of minds   I mean why should a yahoo digest ALWAYS appear to get a 99.9000% score regardless of specific content ? I don't think I've ever seen one that hasn't and I generally get 2 per day. Very suspicious of being a deliberate frig to avoid upsetting Yahoo - although maybe that will change if/when M$ get in on the action of course ! I think I would be prepared to put money on some individual group messages being scored pretty low but not when bundled up into a digest.  Who knows, but postini having issues with false positives and with forum, mailing list, commercial mailings and just about any other 'machine generated' mail in particular does seem to be a quite common and long-term issue going by a variety of comments I've seen posted all over the place.

[jelv1]

Now here's something to throw in to the pot: a quote from Postini's own Community forums

Hello,

is anyone else experiences the same problem, that the false positive rate got higher?
We got higher amount of complaints from our customers, that too many legitimate mails are inside the quarantine.

Mails of our customers are mainly german or other european languages besides english, but within the last year we didn't have this problem, we had to start to open up specific mailservers but this shouldnt be the solution as Spam-Viruses might abuse those mailservers and spam gets through.

So I wondered if someone else experiences this?

I will go through and check our overall quarantine delivery log, and probably we have to change settings via batch.

But probably we are not alone.

Sure, if you look at those messages, you might assume they are spammy. either they come from freemailers, where a line of ads are added, or from tourism portals with enquiries about holiday, where logos are inserted and different from adresses (the one the customer types in) are used. Sometimes the text is low (Please make us an offer for holidays from x to y for 2 adults. Thanks....) But still legitimate mails.

As the frequence of enquiries is highest in january throughout the whole year, this could also explain it. But we still have to spot the problem to either open up those mailservers.

There isn't a feature to have mailservers having scanned at lower rate, I don't feel confident opening up ip's of freemail providers, while this should still work better than customers suddenly adding those domains onto the whitelist.

But it would help if I could say, those IP's should be scanned at a lower rate, .. some like this.

I wonder if we should sign up to the Postini forums and start asking some questions on there.

I think I might start by asking why this message was marked as spam!
Envelope-to: abc@xyz.plus.com
Delivery-date: Sat, 02 Feb 2008 14:08:25 +0000
Received: from exprod5mx250.postini.com ([64.18.0.170] helo=psmtp.com)
     by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1JLJ2d-0003jV-Sd
     for abc@xyz.plus.com; Sat, 02 Feb 2008 14:08:25 +0000
Received: from source ([81.29.64.116]) by exprod5mx250.postini.com ([64.18.4.14]) with SMTP;
   Sat, 02 Feb 2008 08:08:21 CST
Received: from twconnect.com (localhost [127.0.0.1])
   by mail.twconnect.com (Postfix) with ESMTP id 744248F819C
   for <abc@xyz.plus.com>; Sat,  2 Feb 2008 14:08:16 +0000 (GMT)
Message-ID: <251591.connect@twconnect.com>
Date: Sat, 2 Feb 2008 14:08:16 +0000 (GMT)
From: MessageLabs Intelligence <mlireport@messagelabs.com>
To: abc@xyz.plus.com
Subject: [-SPAM-] =?UTF-8?Q?MessageLabs_Intelligence:_Spammers_Exploit_New_Year_Diffi?=
 =?UTF-8?Q?dence_=E2=80=93_Financial_Uncertaint?=
 =?UTF-8?Q?ies_and_Personal_Insecurities?=
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative";
   boundary="----=_Part_9611_25951650.1201961296412"
X-pstn-neptune: 2/1/0.50/59
X-pstn-levels:     (S:31.61122/99.90000 CV:24.3639 R:95.9108 P:95.9108 M:88.2296 C:51.8443 )
X-pstn-settings: 1 (0.1500:0.1500) CV gt3 gt2 gt1 r p m C
X-pstn-addresses: from <mlireport@messagelabs.com> [31/3]
X-pn-pstn: Spam 1
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)

[mikeb]

Sorry, a bit late on parade and I've got an absolute mountain of stuff to catch up on so not much time for this at the mo but here's a quicky update. Some rather interesting and maybe not-so-good developments on the chopped ham and pork front this week.

SPAM VOLUME AND DETECTION RATE

Firstly, a continued decreasing trend in overall volume which although not particularly significant is always a good thing to see ... providing that it's a result of good and reliable analysis rather than being indicative of other problems of course.

But very much more interesting is the number of false negatives. Right from the start, even during the transition period, the number of false negatives (obvious spam scored >0.15) was running at around 10% to 15% of the total volume of mail passed through postini.  It should perhaps be noted that category filtering and filtering on "2strike" etc. doesn't really have any significant effect with the spam I generally receive on the monitored A/Cs and mboxes so the period of time when this kind of filtering was in place is not particularly relevant. Regrettably, category and "2strike" filtering only serves to increase the number of false positives on other A/Cs or mboxes and does absolutely nothing to help improve spam detection on my spam messages. The effect of filtering on the "neptune" header is generally speaking not that significant on my spam either as most of it is scored well below the 0.15 threshold in any case although it would have helped to reduce false negatives in recent weeks IF what appears to be a postini change in neptune header format (which was reported and questioned ages ago) had been noted and implemented by PN if appropriate rather than presumably just looking for ye olde style header

From early in the week it was clear something had dramatically changed somewhere.  The expected number of false negatives were seen on Sunday 3rd Feb but none on Monday, one on Tuesday and none whatsoever since then. This has obviously brought the detection rate for the week smartly up to a much more acceptable and near SLA level.  I have no idea exactly what's happened to make this improvement of course but if it's real and continues into next week then we're looking at 100% detection rate based on this week's data ! 

PLEASE NOTE that I've modified the detection rate graph slightly this week so that all mail bypassing postini during the transition period is excluded rather than effectively being considered as a false negative which resulted in the relatively smooth curve during the transition period as was shown on last weeks graph. Not sure why I didn't do this initially but I really should have because the transition period is completely irrelevant if the calculation is performed solely on messages received via postini and all other messages are ignored.  All messages are now received via postini of course, it was only during the transition period as indicated by the "dotted" section on the volume graph where some were bypassing the filtering.

Maybe it's just that a whole bunch of IPs have found their way onto RBLs or have been taken out of service but I rather suspect someone has been a'tweaking somewhere because a sudden, unexpected and unexplained sharp(ish) increase in performance is way more than a bit suspicious. Particularly so when there are other apparent problems as detailed below. Maybe PN would like to report on what they've been doing or confirm if postini have started doing something different or have introduced a significant update to their system ?  Is there perhaps a scheduled major postini update at the beginning of each month for instance ?


FALSE POSITIVES AND MISSING MAIL

Still no shortage of false positives again this week despite the category filtering being removed which obviously reduced the overall number somewhat. It is also interesting to note that messages from certain senders appear to be fairly consistently getting a slightly better spam score this week despite nothing significantly different in the message contents or routing. Still ridiculously low scoring IMO but at least not sufficiently low to get tagged with spam 1 as virtually all previous messages had been.  However, I get the distinct impression that postini is rejecting rather more messages than they have been of late as I have several suspected missing messages this week. Of particular note is one requested message expected from bbc.co.uk and one mailing from novatech.co.uk (both organisations being globally whitelisted of course) and one yahoo groups digest, all of which normally get a very high score almost regardless of content. 

This is not good to say the least as it has been said several times by PN that whitelisting guarantees message delivery regardless of the specific content and analysis results - apparently not then it would appear Some bbc messages have been having the "GT1" flag set which I don't think I've seen before either although that is supposed to help prevent rejection and/or poor scoring. I reported problems with missing novatech messages right at the start and that's why they were whitelisted by PN. Since then, messages have arrived with a varying but generally decreasing score and last week's was around 0.3 but this week I get a mysterious "you have been unsubscribed" message on my postini A/C. As I most certainly didn't request to be unsubscribed from the list, the only reasonable explanation is that someone else has used the link in a reported "not spam" message to unsubscribe me or that it happened automatically because of bounces or whatever.  The yahoo groups digest simply didn't turn up when expected but no bounce according to yahoo and the next digest did arrive. As most people will know, yahoo are very quick to disable bouncing addresses at the very first hint of any delivery problem although not so quick in telling users that there is a problem. There were no such issues on my non-postini A/C needless to say. I very much hope that the improvement in detection rate hasn't been achieved by postini simply dumping/rejecting even more of the 'suspect' or difficult to analyse messages.

I think this possible issue needs looking into as a matter of urgency because if whitelisting isn't going to prevent postini dumping/rejecting stuff then that's a VERY serious situation. It makes a complete mockery of the proposed 'solution' to postini being over-aggressive and tagging or worse still dumping/rejecting genuine messages for no good reason whatsoever if global/user whitelisting doesn't always have the desired effect.  Stupid as it may seem, I'm also *VERY* concerned that I don't appear to be getting anything like the expected amount of spam so far this week.  Suffice it to say that something just doesn't look right somehow - there's not enough of it and not enough variety in either content or sender.  Everything points to way too many messages being dumped/rejected rather than being delivered as of some time early last week


MESSAGE SCORING AND DIGEST STYLE MESSAGES

I was running a test to evaluate further the apparent preference that postini seem to give yahoo groups messages over similar list-type or digest-type messages from other genuine senders. Unfortunately, it all appears to have gone more than a bit t*ts up in my absence because postini has not been delivering (or bouncing) some of the messages.  Anyway, here's the message scoring graph just for the record and I will have to repeat the tests again, hopefully this week if/when I get the chance.

[spraxyt]

Thanks Mike, rather a lot for us to digest and understand there.

My (fully Postinied) spam volume has gone down significantly since Christmas, admittedly it wasn't large before, now trivial - none on many days.

I'm not aware of anything being rejected though mailing list items I asked for (from ZoneAlarm and Investors Chronicle) have recently been scored and tagged as Spam 1 (and I've submitted them to notspam).

[mikeb]

Sorry chaps, very late on parade yet again this week.  Please note the subtle change to all graphs - the X-axis dates now reflect "Week Ending" rather than "Week Commencing". This minor tweak was made primarily for presentation reasons when doing a bit of tidying up after extra curves were added to some graphs.


SPAM VOLUME AND DETECTION RATE

Following on from last week's slight decrease, there was a monster drop in volume last week ... but unfortunately, not just related to spam either

I don't mean this literally but just to give an indication of the scale of the change that appeared to get underway at the tail end of the previous week, just about everything that was previously classified as not-quite-spam is now categorised as spam and just about all previous spam has disappeared.  It was a very lean week for spam in general and suspiciously consistent during the week as well.  The detection rate remained at the improved level first seen the previous week.

The more observant will no doubt have noticed that I've been tweaking the graph again and have included a bit more data. The daily spam curve and perhaps more to the point, the average spams/day line clearly shows the relative severity of the drop in volume last week.  I've also included another new curve, whitelisted spam. This shows the %ge of the total messages received where the from: field contained a forged whitelisted address and therefore the messages were delivered regardless of just how spammy they really were. As can be seen, the majority of spam last week arrived courtesy of Mr.Spammer using whitelisted addresses.

I still have no real idea what exactly happened last week (and the tail end of the previous week) to result in the dramatic change in performance and I'm a bit unimpressed (but in no way surprised) that PN have not made any comments during the week.  I really do think someone quite obviously tweaked something and it would be nice to know "who, what and why" rather than considering the conspiracy theory that someone simply went tweaking in a blind panic due to being presented with documentary evidence showing the level of performance actually being achieved was somewhat lower than that specified. I don't normally 'do' conspiracy theories TBH other than as a jokey type of comment but it does look mighty suspicious that the week after showing a graph indicating consistent poor(ish) performance it all changes ! Coincidence ... or perhaps something spooky and worthy of a Mulder and Scully investigation ? The truth is out there


FALSE POSITIVES AND MISSING MAIL

Ah yes, false positives, not so many this week. But sadly this is not necessarily a good thing because in line (sort of) with the dramatic decrease in spam received there was also a fairly similar decrease in mail being delivered in general unfortunately. A significant amount (but by no means all) mail previously delivered erroneously classified as spam is no longer being delivered at all   All genuine mail from some totally reputable companies/organisations has simply stopped arriving. I've not really been checking for false positives in great detail recently because it's a right old PITA to cross-check all mail received across various A/Cs and Mboxes to try and spot the missing messages but on a quicky look there are more than a few obvious ones missing. I think it's becoming very clear that someone has seriously turned up the wick on the blatant spam blocking so that everything that was looking very spammy (according to postini's dubious and quite wrong opinion) is now being dumped/rejected in order to get the detection rate back up to the specified level.  Great if you don't want to receive any spam ... but not so good if you actually want to receive genuine mail.


MESSAGE SCORING AND DIGEST STYLE MESSAGES

Nothing new to report, just an updated graph for now.

Note there was no forum digest for 16th Feb as this was presumably dumped/rejected by postini as it was due a poor score. In fact many other forum messages various during the week were conspicuous by their absence. One excellent and totally legitimate forum run by a PN customer and hosted on homepages is now a major casualty of postini. Previously, all messages were classified as spam but now no messages whatsoever are being received so it is presumably impossible to sign up to the forum if you use PN and even if you could then you apparently can't receive any forum related messages in any case.