Plusnet Usergroup

All Users - The Open Forum => Plusnet Network and Technical Issues => Topic started by: jelv1 on May 30, 2007, 08:44:54 am



Title: Training spam filter - any point?
Post by: jelv1 on May 30, 2007, 08:44:54 am
Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I've seen a post somewhere that says equal numbers of spam and notspam emails are being fed in to the training. I could understand that if the number of false positives was similar to the number of missed spams, but it is not, the number of missed spams far exceeds the number of false positives. So shouldn't more missed spams be fed in until it balances out.

And before someone responds to say that was what was done before when it suddenly started marking nearly everything as spam, I understand that that was down to it being fed a large number of unvetted emails in one chunk - not just because of the number.


Title: Re: Training spam filter - any point?
Post by: MauriceB on May 30, 2007, 11:49:34 am
I've got the same concern John.  Keep feeding the SPAMCHECKER but still they arrive!  Some weeks ago it was 1 - 2 per day, but it is steadily rising - 6 today :x

False spam is very low - last I had was many weeks ago :-P

IMAP folder getting between 10 and 20 per day.

Maurice


Title: Re: Training spam filter - any point?
Post by: godsell4 on May 30, 2007, 12:35:31 pm

Have you taken a look at the e-mail headers to see how many of the SPAM messages you get have been identified as coming via a known open relay ... as described on the PN portal here (http://portal.plus.net/central/forums/viewtopic.php?t=56136)?

SW.


Title: Re: Training spam filter - any point?
Post by: spraxyt on May 30, 2007, 12:54:03 pm
I share the concern too.  I've forwarded many missed spam messages since the deluge started but detection does not appear to be improving.  One yesterday came from an open relay on the spamcop blacklist.  I was surprised this wasn't marked.

x-open-relay: 122.167.72.27 is in a black list at bl.spamcop.net

The spammers seem to be putting the "message" as the subject, with more "innocent" words and a link in the message body.  Do the filters give equal weight to the subject line?

I've often wondered how messages forwarded for filter training are processed - is this described anywhere?

David


Title: Re: Training spam filter - any point?
Post by: simonflood on May 30, 2007, 01:21:41 pm
Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I was wondering the same thing myself as I've been busy forwarding spam messages from 6 PlusNet mailboxes (I'm managing my Mother-in-Law's account in addition to my own).

As I currently understand messages need to be forwarded with full headers in-line in order to be effective.  Forwarding spam messages as attachments is no good.  This is a pity as reporting spam via Webmail is a real PITA (hence my earlier suggestion of Spam/Not Spam buttons).

Perhaps someone from PlusNet can clarify the following with regards to the spam reporting processs?

  • Does it matter which e-mail address is used to report spam? (ie. what happens if an alias on an external domain forwards to a PlusNet mailbox)
  • Does it have to be a PlusNet e-mail address (ie. something@username.plus.com) that is used to report spam?
  • Does it have to be sent from the same mailbox that received it? (ie. could postmaster report all spam for a set of mailboxes?)

If it's possible for non-PlusNet e-mail addresses to forward spam messages to spam@despamchecker.plus.com presumably non-PlusNet e-mail addresses are blocked from sending to notspam@despamchecker.plus.com (to stop spammers attempting to get their spams classed as non-spam)?  If not, perhaps PlusNet want to close this loophole ASAP!  However I'd rather any e-mail address can send to spam@despamchecker.plus.com as it's the sole address in my webmail address book in case spammers gain access again!!

Simon


Title: Re: Training spam filter - any point?
Post by: simonflood on May 30, 2007, 03:12:26 pm
Is there any point forwarding emails to spam@despamchecker.plus.com ?

I have been forwarding many emails and I can see no sign that the detection is improving - I'm still getting many emails promising to enlarge a part of my anatomy and similar which are not being tagged.

I was wondering the same thing myself as I've been busy forwarding spam messages from 6 PlusNet mailboxes (I'm managing my Mother-in-Law's account in addition to my own).

It seems that there is a point to forwarding e-mails as I've just checked the mailboxes I own/look after and whilst they've all received spam overnight all the spam messages were correctly tagged as [-SPAM-] and moved into the Spam folder! :-)

Simon


Title: Re: Training spam filter - any point?
Post by: bpullen on May 30, 2007, 03:26:21 pm
Hi guys,

I can definitely double check to ensure housekeeping are on top of the training however whilst I'm here it may be useful if I provide further details regarding how the spam filter is trained...

There is an automatic training system which runs every night on all of the mxcore servers. This system relies on a cron job on the mailops server.

This script has only one purpose, it moves emails from the imap folders for spam and notspam, under the account despamchecker, into a network share held on the NAS.

This share has two folders, clean and spam. A script, which is held on each of the mxcore servers, picks up the emails held in these folders, and passes them through dspamc with the options specific to the folders definition. For instance, emails held in the clean folder are treated as innocent emails.

It forks into two processes, one which trains spam emails, while the other trains clean. The script is run on the servers in a staggered way, each server launching the process 15 minutes after the server numerically number one less that its self; i.e. sunmxcore01 starts at 01:00 while sunmxcore02 starts at 01:15.

The IMAP folders used by the automatic training system are populated by our housekeeping team.

This person will...

  • Setup an IMAP client to access the despamchecker mailboxes.
  • In the despamchecker+spam mailbox check the headers off all mails, and a sample of the actual mails.
  • Once happy that the mails in the despamchecker+spam account are spams move a maximum of 400 over to the Spam IMAP folder under the despamchecker account.
  • In the despamchecker+notspam mailbox check the headers off all mails, and a sample of the actual mails.
  • Once happy that the mails in the despamchecker+notspam account are not spams move a maximum of 400 over to the notspam IMAP folder under the despamchecker account.
  • Now check that the Spam and notspam folders under the despamchecker account have the same number of emails pending.
  • Clean out the spam+despamchecker and notspam+despamchecker accounts.
  • Any emails both in SPAM and NOTSPAM folders which are above 10K can be safely deleted. DSPAM uses text to train itself and attachments or large emails are no use for training.
.

We've also been using the odd honeypot address here and there following the recent spam problems as mentioned here (http://usergroup.plus.net/pugit/view.php?id=305).


Title: Re: Training spam filter - any point?
Post by: jelv1 on May 30, 2007, 04:09:53 pm
I can't see where you notify people that their submissions are not in the correct format. I presume you wouldn't want users wasting their time submitting either spam or notspam on a regular basis if they were all being ditched!


Title: Re: Training spam filter - any point?
Post by: poppy on May 30, 2007, 05:21:49 pm
Not sure if I am doing things right - when I receive a message that is not marked I forward it to despamchecker by a tick in the box and clicking forward i.e. without actually opening the e-mail. Is this correct or should the e-mail be opened and forwarded from within that?


Title: Re: Training spam filter - any point?
Post by: jelv1 on May 30, 2007, 06:39:22 pm
I think you are probably doing the wrong thing as I don't think that will include all the headers - but it will depend on what you are using to do this.


Title: Re: Training spam filter - any point?
Post by: poppy on May 30, 2007, 08:47:56 pm
Thank you for the reply. I am forwarding them from within webmail. I would like to know the correct procedure as there is no point in forwarding to despam if it is wrong.


Title: Re: Training spam filter - any point?
Post by: jelv1 on May 30, 2007, 08:56:50 pm
AIUI you need to:

1. Select View Full Header from the options when you have the message open.
2. Then copy everything that that gives.
3. Now go back to View Message.
4. Select Forward (not forward as attachment)
5. Delete the header lines at the top of the email down as far as the line under the To:
6. Paste the full header you saved in step 2 to the top of the email.

Simple isn't it (not!).


Title: Re: Training spam filter - any point?
Post by: poppy on May 31, 2007, 07:01:23 am
Doesn't sound simple to me! Any comment from staff?


Title: Re: Training spam filter - any point?
Post by: ianwild on May 31, 2007, 08:48:32 am
I agree it could be simpler, and we'd welcome suggestions for making it so.

As it is, with a Webmail client (When we have locked down what we want) a "Report Spam" button will be a must have. From people's own email software though, there is only so much we can do as we need to see and verify the emails before we train the spam filter.

Ian


Title: Re: Training spam filter - any point?
Post by: poppy on May 31, 2007, 10:38:25 am
Thanks for the reply Ian.  Just to clarify (the idiot's guide), is it OK just to open the e-mail and click 'Forward' then add the despamchecker address? Will this do the job?  I have an aversion to actually opening them and that is why I was putting a tick in the box and clicking 'Forward' but I suspect that this is no good.


Title: Re: Training spam filter - any point?
Post by: dusty_bin on May 31, 2007, 11:44:06 am
As it is, with a Webmail client (When we have locked down what we want) a "Report Spam" button will be a must have.
Yes! and also a "Not Spam" button for false positives in the spam folder(s).
If you follow the Pegasus Mail approach, you could also do it automatically when email is manually moved into or out of the spam folder(s)?
Quote
From people's own email software though, there is only so much we can do as we need to see and verify the emails before we train the spam filter.
Indeed...
When forwarding emails using Pegasus Mail, one option is "Forward the messages without editing (Redirect, or "bounce)" which looks to be just the ticket ;)


Title: Re: Training spam filter - any point?
Post by: cogilvie on May 31, 2007, 11:47:56 am
When forwarding emails using Pegasus Mail, one option is "Forward the messages without editing (Redirect, or "bounce)" which looks to be just the ticket ;)

I suspect you'll lose the original headers at a guess, as it would be sending through your SMTP server etc. so you'll still be in the same state as you were.


Title: Re: Training spam filter - any point?
Post by: jelv1 on May 31, 2007, 02:35:50 pm
The advise we have had from Bob is that the full headers are needed. If you just forward the message without pasting in the headers it is apparently no use and you are just wasting your time.


Title: Re: Training spam filter - any point?
Post by: dusty_bin on May 31, 2007, 04:31:03 pm
Good points, but I just carried out an experiment and got the following headers from a forwarded message:

Received: from host2.somewhereelse.net by myinternalserver with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
   id LS1Y8T9Q; Thu, 31 May 2007 16:08:31 +0100
Received: from username.plus.com (81-174-211-110.pth-as4.dial.plus.net
   [81.174.211.110])by host1.somewhereelse.net (8.9.3 (PHNE_29774)/8.9.3)
   with SMTP id QAA21776for <me@username.plus.com>; Thu, 31 May 2007
   16:03:39 +0100 (BST)
Resent-Message-Id: <200705311503.QAA21776@somewhereelse.net>
Resent-from: <me@username.plus.com>
Resent-to: me@somewhereelse.net
Resent-date: Thu, 31 May 2007 16:03:25 +0100
Received: from mail.plus.net by username.plus.com with POP3
   (Mailtraq/2.2.0.1340)         id MYBL57F41F14; Mon, 26 Mar 2007 12:00:57
   +0100
Envelope-to: me@username.plus.com
Delivery-date: Mon, 26 Mar 2007 08:29:16 +0000
Received: from c2bthomr12.btconnect.com ([213.123.20.144])  by
   pih-sunmxcore10.plus.net with esmtp (PlusNet MXCore v2.00) id
   1HVkZn-0006cP-UF   for me@username.plus.com; Mon, 26 Mar 2007 08:29:15
   +0000
Received: from somebody by c2bthomr12.btconnect.comwith ESMTP id
   CPA74008;Mon, 26 Mar 2007 09:30:34 +0100 (BST)
Message-ID: <000901c76f81$fa86efc0$1402a8c0@somebody>


I hope it's not too munged to understand...  The orignal email was collected by POP3 by a server and then passed to Pesagus Mail, but I don't think it would be different if email were directly collected - if I get a chance, I may try that as well.

I suppose the question is whether the PN system would pick out the right headers.


Title: Re: Training spam filter - any point?
Post by: bpullen on May 31, 2007, 04:37:39 pm
Spam filtering is based on many things, some are in the body (HTML usage, misformed mime etc) some are in the headers (mail has passed through a host without rDNS, invalid headers).

The more the better basically.


Title: Re: Training spam filter - any point?
Post by: cogilvie on May 31, 2007, 04:56:49 pm
Good points, but I just carried out an experiment and got the following headers from a forwarded message:

[snip]

I hope it's not too munged to understand...  The orignal email was collected by POP3 by a server and then passed to Pesagus Mail, but I don't think it would be different if email were directly collected - if I get a chance, I may try that as well.

I suppose the question is whether the PN system would pick out the right headers.

Ah, so it's slightly more intelligent than I was giving it credit for :-)


Title: Re: Training spam filter - any point?
Post by: dusty_bin on May 31, 2007, 06:05:07 pm
Ah, so it's slightly more intelligent than I was giving it credit for :-)

And it did the same with a direct connection to the PN servers:
Code:
Envelope-to: test@username1.plus.com
Delivery-date: Thu, 31 May 2007 16:47:15 +0000
Received: by pih-sunmxcore16.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1Htnnu-000712-UP
     for test@username1.plus.com; Thu, 31 May 2007 16:47:15 +0000
X-Daemon-Classification: INNOCENT
Received: from ptb-relay01.plus.net ([212.159.14.212])
     by pih-sunmxcore16.plus.net with esmtp (PlusNet MXCore v2.00) id 1Htnnu-0006zl-0J
     for test@username1.plus.com; Thu, 31 May 2007 16:47:14 +0000
Received: from [81.174.210.98] (helo=[81.174.210.98])
     by ptb-relay01.plus.net with esmtp (Exim) id 1HtnoJ-0006Ch-D5
     for test@username1.plus.com; Thu, 31 May 2007 17:47:40 +0100
Resent-from: "Test" <test@username2.plus.com>
Resent-to: test@username1.plus.com
Resent-date: Thu, 31 May 2007 17:44:34 +0100
Received: from ptb-cgirelay02.plus.net ([195.166.130.41])
     by pih-sunmxcore12.plus.net with esmtp (PlusNet MXCore v2.00) id 1Htnfw-0001iV-KY
     for test@username2.plus.com; Thu, 31 May 2007 16:39:00 +0000
Received: from ge0-1-0-7.ptn-gw2.plus.net ([212.159.6.51]:42273 helo=webmail.plus.net)
     by ptb-cgirelay02.plus.net with esmtp (Exim 4.34)
     id 1Htnd0-0008Fp-Nw
     for test@username2.plus.com; Thu, 31 May 2007 17:35:58 +0100
Received: from 81.174.210.98
     (SquirrelMail authenticated user username1)
     by webmail.plus.net with HTTP;
     Thu, 31 May 2007 17:35:58 +0100 (BST)
Message-ID: <22516.81.174.210.98.1180629358.squirrel@webmail.plus.net>
Date: Thu, 31 May 2007 17:35:58 +0100 (BST)
Subject: Test
From: username1@username1.plus.com
To: test@username2.plus.com
User-Agent: SquirrelMail
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
[snip the spam stuff]
Resent-Message-Id: <E1Htnnu-000712-UP@pih-sunmxcore16.plus.net>
Resent-Date: Thu, 31 May 2007 16:47:15 +0000

Now I just need to get it's spamchecker trained...


Title: Re: Training spam filter - any point?
Post by: Mark1 on June 01, 2007, 12:16:19 am
Re Pegasus Mail...
Ah, so it's slightly more intelligent than I was giving it credit for :-)
I've been using Pegasus Mail for some years, and it's a very capable mail client. It lags behind the more famous mail programs in its user interface, and lacks bells and whistles such as an entire Office system attached to every action, but it generally works very well.

Its own spam filter is very effective, once trained. It learns as one moves messages into the Junk folder (trains them as spam) or out of it (trains as not-spam).


Title: Re: Training spam filter - any point?
Post by: NB on June 01, 2007, 12:22:29 am
I believe the mail client in Opera can do redirects straight out of the box, and thunderbird can do them with the addition of a plugin.


Title: Re: Training spam filter - any point?
Post by: rsarwar on June 01, 2007, 10:04:55 am
Forwarding headers is useful as the header contain information from DSpam, this information show why DSpam thinks of a mail as Spam. I believe when you forward a mail using 'Forward' from mail client, the headers containing hop and delivery information are forwarded however headers containing other Mime tags do not get forwarded, I have to test this today.

Any mails which contain attachments, very few text or blank body are useless to training system and they normally discarded by housekeeping team.



Title: Re: Training spam filter - any point?
Post by: godsell4 on June 01, 2007, 02:05:37 pm
... very few text or blank body are useless to training system and they normally discarded by housekeeping team.

The fact is, it is quite a few of these short messages with an attached .gif that are highly offensive SPAM.

So should they really be discarded ... many of them come via known open relays on bl.spamcop.net ... going to fix that hole?

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 01, 2007, 06:47:00 pm

How did this one get through, see the headers via spamcop here (http://submit.7SNTbcSF74wYuwdP@spam.spamcop.net)

It shows the DSPAM factors as:
Quote
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri Jun  1 15:07:14 2007
X-DSPAM-Confidence: 0.5053
X-DSPAM-Improbability: 1 in 103 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
   Received*Jun, 0.00181,
   Received*HW, 0.01000,
   Date*17+00, 0.01000,
   the+improved, 0.99000,
   Date*2007, 0.99000,
   Subject*Multiple, 0.99000,
   has+ever, 0.01000,
   Received*0004Xl, 0.99000,
   best+thing, 0.01000,
   Date*Jun, 0.07580,
   to+me, 0.08830,
   Due+to, 0.09087,
   Date*Fri+1, 0.09383,
   Due, 0.12463,
   improved, 0.85701,
   Received*Fri+01, 0.14402,
   x-open-relay*is, 0.84924,
   x-open-relay*a, 0.84924,
   x-open-relay*black+list, 0.84924,
   x-open-relay*list, 0.84924,
   x-open-relay*bl.spamcop.net, 0.84924,
   x-open-relay*at, 0.84924,
   x-open-relay*at+bl.spamcop.net, 0.84924,
   x-open-relay*black, 0.84924,
   x-open-relay*in, 0.84924,
   x-open-relay*in+a, 0.84924,
   x-open-relay*a+black, 0.84924

Just how many times does DSPAM need to see the x-open-relay string to decide a message is actually SPAM?  :x

SW


Title: Re: Training spam filter - any point?
Post by: Oldjim on June 01, 2007, 07:38:32 pm
Has someone got sense of humour - this is taken from a mail correctly identified as spam
Quote
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Fri Jun 1 14:41:03 2007
X-DSPAM-Confidence: 0.6963
X-DSPAM-Improbability: 1 in 230 chance of being ham
X-DSPAM-Probability: 1.0000
X-DSPAM-Factors: 15,


Title: Re: Training spam filter - any point?
Post by: poppy on June 02, 2007, 11:44:18 am
With reference to Bob's message (PUGIT 305) about setting up redirects for spam@despamchecker, please can someone  clarify exactly how this should be done?


Title: Re: Training spam filter - any point?
Post by: Oldjim on June 02, 2007, 12:16:57 pm
I thought that just forwarding the email without adding the header manually was of no use - can that be confirmed because if I am wrong it would be much easier


Title: Re: Training spam filter - any point?
Post by: petervaughan on June 02, 2007, 12:24:45 pm
Just forwarding is of some use but the full benefits are attained when you include the headers.


Title: Re: Training spam filter - any point?
Post by: br1anstorm on June 03, 2007, 12:39:15 am
Thanks for the reply Ian.  Just to clarify (the idiot's guide), is it OK just to open the e-mail and click 'Forward' then add the despamchecker address? Will this do the job?  I have an aversion to actually opening them and that is why I was putting a tick in the box and clicking 'Forward' but I suspect that this is no good.

Some comments on this.  Just forwarding the spam message means (a) that PN's checker may not be able to see the original spam headers;  and (b) at least using Outlook Express, this means opening it, which could expose you to more risk (as it confirms to the spammer that your address is 'live').  Apparently in MacMail you can forward headers etc without having to open the message.

Over on the main PlusNet discussion forum there's a link to a useful guide prepared by Webwise - look in his posts there - which spells out how (in Outlook Express) to copy and send spam headers and texts to PN without having to open the offending message(s).

br1anstorm


Title: Re: Training spam filter - any point?
Post by: poppy on June 03, 2007, 07:31:18 am
Couldn't find the information that you alluded to - can you provide more details please?


Title: Re: Training spam filter - any point?
Post by: petervaughan on June 03, 2007, 10:06:53 am
The thread is here (https://portal.plus.net/central/forums/viewtopic.php?t=56464)

And the referenced guide is here (http://www.neolics.com/index.php?s=guides&p=12) although you should not be sending the spam as a new message as it suggests, and as I commented on in that thread.


Title: Re: Training spam filter - any point?
Post by: jazz on June 03, 2007, 10:34:25 am
These threads in PUG and the PlusNet Forums are all getting so confusing that the message I'm getting is:-

"Don't bother forwarding Spam to the Spamchecker because you'll probably open something you shouldn't, fail to attach headers or waste everyone's time with mistakes in the process.  It would probably be easier to just delete the things". 

I think that, until a simple solution/guide is found and published by PlusNet I'll just go for the "Delete" option and concentrate on training Thunderbird to to this for me automatically. :?


Title: Re: Training spam filter - any point?
Post by: poppy on June 03, 2007, 12:26:56 pm
Thanks for the link. Totally agree about the confusion. I definitely don't want to open the e-mail to insert any header information and in any case (I might be wrong) but if you haven't downloaded the spam into OE or other, the properties information does not seem to be complete in webmail. I will carry on just deleting until a method that doesn't include opening the mail is given.


Title: Re: Training spam filter - any point?
Post by: jkerr82508 on June 04, 2007, 03:23:24 pm
Popfile, which I run locally has correctly identified all of the spam which has penetrated PN's spam filters. (I have configured Kmail to dump it to the wastebin.) When this new system was introduced I forwarded all of these to despamchecker, but when there was no apparent effect, I just gave up. It's a whole lot easier to just click on "Empty wastebin" than go through the contortions described here.

Jim


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 04, 2007, 03:41:38 pm
Popfile, which I run locally has correctly identified all of the spam which has penetrated PN's spam filters.

Same here, JunkMatcher is a plugin for mail.app on MacOS X, it too manages to identify all the SPAM messages PN do not.

Makes you think really.

SW.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 04, 2007, 10:27:58 pm
I have been wondering why I have received no emails from two Freecycle groups I belong to on yahoofor the last couple of days - between them I would expect to receive 30-50 emails a day. So I've just been to check, and as expected I find that the email address is shown on Yahoo as bouncing. And what do I find as the reason for the bounce:

Remote host said: 550 Spam detected within email [BODY]

Could someone from Plusnet explain why emails from Yahoo groups are being hard bounced please.


Title: Re: Training spam filter - any point?
Post by: dtomlinson on June 04, 2007, 10:56:03 pm
I'd recommend raising a ticket with the full bounce and we can take a look at why it's bounced.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 04, 2007, 11:31:19 pm
That's as much information as I can find on the Yahoo groups website. :-(


Title: Re: Training spam filter - any point?
Post by: Penny on June 05, 2007, 12:08:06 am
I have been wondering why I have received no emails from two Freecycle groups I belong to on yahoofor the last couple of days

Weird that, because I too belong to two Freecycle groups, and messages from both have been arriving seemingly without problem.

Maybe to do with the "send" format of the various separate Freecycle groups?

Curiously, the spam filter is picking up NetAnnounce subscribes and unsubscribes, not all but some.  I've more or less given up monitoring them the last few days because there are so many probably-not-genuine subscribes that I just don't have the time to sort them right now, so some of them ending up in the spam folder is neither here nor there :/


Title: Re: Training spam filter - any point?
Post by: mikeb on June 05, 2007, 01:24:24 am
I have been wondering why I have received no emails from two Freecycle groups I belong to on yahoofor the last couple of days - between them I would expect to receive 30-50 emails a day. So I've just been to check, and as expected I find that the email address is shown on Yahoo as bouncing. And what do I find as the reason for the bounce:

Remote host said: 550 Spam detected within email [BODY]

Could someone from Plusnet explain why emails from Yahoo groups are being hard bounced please.

As I mentioned on another thread somewhere, problems with yahoo and similar groups or mail lists frequently occur when service providers do spam checking unfortunately. I don't use the PN spam checking at all so all I do know is that yahoo stuff doesn't appear to be being silently bounced on receipt as I'm still getting my digests and messages coming through from a few groups I use.

Yahoo really are a PITA with their bouncing policy. One single bounce for whatever reason and all mails are stopped but they generally take ages to actually tell you about it so you can reactivate the address.  I quite often find that it can be up to a week before the problem is flagged on yahoo even when it's obvious that messages aren't being sent. There is no way that I've found to identify which message actually caused the bounce either as any reference on the yahoo bounce history doesn't tie up with message IDs or numbering in the group. All you get is some obscure error message such as "spam detected" or "content rejected" in the message body :(  I also get the distinct impression that yahoo treat any failure to deliver on the first occasion as a bounce as well so if there is any sort of problem they don't necessarily retry.

What tends to happen in my experience is that someone posts a dodgy message i.e. either a bit spammy or with rather iffy content in some way.   Also, I think the other big problem with such groups/lists is that there are a lot of stupid people out there :o  They subscribe to them then decide they no longer want to receive messages but are too stupid to change their mail options or leave the group so report the messages as spam instead thus causing probs for others if/when the sending IP gets blacklisted.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 05, 2007, 05:26:31 pm
As of now I am going to give up forwarding emails to training as a pointless waste of time - I would suggest anyone else who values their time does the same.

I've just received a message with a subject of "Recent discoveries in herbal science have shed new light on the subject of penis enlargement" with a body of "When you reach the growth size that you want to achieve, you no longer need to take MegaDik". Here are the relevant headers:

Quote
x-open-relay: 62.87.142.95 is in a black list at bl.spamcop.net

X-DSPAM-Result: Innocent
X-DSPAM-Processed: Tue Jun  5 15:50:12 2007
X-DSPAM-Confidence: 0.5479
X-DSPAM-Improbability: 1 in 122 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
   Received*Jun, 0.00181,
   Received*Tue+05, 0.00507,
   Date*Tue+5, 0.00682,
   reach+the, 0.00960,
   Subject*on+the, 0.01000,
   longer+need, 0.01000,
   Subject*herbal, 0.99000,
   Date*2007, 0.99000,
   Date*47+0200, 0.01000,
   size+that, 0.01000,
   Subject*Recent, 0.99000,
   Received*admin, 0.93829,
   Received*for+admin, 0.93829,
   reach, 0.06780,
   Date*5, 0.07506,
   Date*Jun, 0.07580,
   X-MimeOLE*V6.00.2800.1106, 0.91513,
   X-MimeOLE*MimeOLE+V6.00.2800.1106, 0.91513,
   to+achieve, 0.10971,
   achieve, 0.11002,
   growth, 0.88469,
   Content-Type*charset="windows, 0.87976,
   no+longer, 0.12561,
   x-open-relay*is, 0.84924,
   x-open-relay*a, 0.84924,
   x-open-relay*black+list, 0.84924,
   x-open-relay*list, 0.84924

I found it particularly revealing how, in spite of all the training, it gave the scores as it did for the words "penis", "MegaDik" and "enlargement" (it is obviously processing both the subject and body given the scores it has for growth and herbal).


Title: Re: Training spam filter - any point?
Post by: mikeb on June 06, 2007, 02:53:09 pm
It's looking like yet another well spammy week with copious amounts of the explicit stuff as well as the usual dodgy_software_R_us rubbish so far :(

One thing I really don't get though is why the hell the registration and dns services for all these Fairly_Random_Name.tld sites can't be prevented or at least shut down pretty quick therefore making it a waste of time/effort/money for the b*ggers to keep on trying. Maybe something is being done if only DoS attacks as none of the sites actually load (apart from the dodgy software one) so it must be a futile exercise trying to sell this crap anyway ! if they are indeed trying to sell stuff as opposed to infect more systems with malware. The vast majority if not all of them seem to have near identical whois info and as I found before, all resolve to one or more of a fairly short list of common IPs.  At the mo the whois for all that I've looked up appears to be:

Quote
Domain Name: HSQV.COM (and lots of others)
   Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
   Whois Server: whois.joker.com
   Referral URL: http://www.joker.com
   Name Server: NS1.JJJDNS.COM
   Name Server: NS2.JJJDNS.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 02-jun-2007
   Creation Date: 02-jun-2007
   Expiration Date: 02-jun-2008

>>> Last update of whois database: Wed, 06 Jun 2007 13:07:08 UTC <<<

[whois.joker.com]
domain:       hsqv.com
owner:        Sammy Lee
organization: Liquid Ventures Inc
email:        admin@liquidventuresinc.com
address:      44/E ENTERPRISE SQUARE
city:         KOWLOON
state:        --
postal-code:  0000
country:      HK
phone:        +852.94528422
admin-c:      CCOM-1028986 admin@liquidventuresinc.com
tech-c:       CCOM-1028986 admin@liquidventuresinc.com
billing-c:    CCOM-1028986 admin@liquidventuresinc.com
nserver:      ns1.jjjdns.com 210.3.9.200
nserver:      ns2.jjjdns.com 210.3.9.200
status:       lock
created:      2007-06-02 21:23:09 UTC
modified:     2007-06-02 21:23:09 UTC
expires:      2008-06-02 21:23:09 UTC

contact-hdl:  CCOM-1028986
person:       Sammy Lee
organization: Liquid Ventures Inc
email:        admin@liquidventuresinc.com
address:      44/E ENTERPRISE SQUARE
city:         KOWLOON
state:        --
postal-code:  0000
country:      HK
phone:        +852.94528422

source:       joker.com live whois service
query-time:   0.018779
db-updated:   2007-06-06 13:07:17

I realise that preventing registration or shutting down the sites won't stop the spam as such but surely something could be done to make it way more difficult and painful to keep trying to peddle this rubbish ?  Likewise dealing with the compromised systems sending the spam out in the first place. I'm bl**dy certain that service providers, registrars and so on could do lots more to control and limit the problem *IF* they really wanted to ... which they clearly don't, of course  :x  I mean, I've never yet come across any service provider anywhere in the world that takes abuse reports in any way seriously and responds in a timely manner (if at all that is). All this spam filtering and suchlike being implemented is next to useless in reality IMHO esp trying to do Bayesian detection on a mass_user scale.  It might well produce reasonably good results on a per_user basis but I just don't believe it can ever produce particularly reliable results otherwise. Apart from that, filtering is simply trying to hide the problem rather than trying to fix it of course !  What are service providers various doing (if anything) to fix the fundamental problem other than adopting the ostrich position ?


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 06, 2007, 11:06:26 pm
It might well produce reasonably good results on a per_user basis but I just don't believe it can ever produce particularly reliable results otherwise.

Why? If you and I receive the same type/style of SPAM, then the 'learnt behaviour' of my SPAM filter should work equally well on your e-mail ... if we exptrapolate, it should work on all e-mail of the whole PN user base.

OK, so there maybe some people that want the MegaDuck and WonderSum messages.

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on June 07, 2007, 01:23:47 am
Well, I suppose there must be some peeps who do respond to this crap or they wouldn't continue to keep sending it out by the bucket load !  I mean, even if the response is very, very small, 0.001% of a very big number of attempts to sell the stuff per day is still a result unfortunately.  But that's not the point.

What you say in principle is correct of course - any message containing WC or MD or whatever specific name they happen to be using today isn't a problem. Like you say, 99.999% of peeps defo will not see those messages as anything other than spam.  But the problem is that only a very tiny %ge of the messages I have received to date actually fall into that category. OK, so you can effectively extend the word search to include other terms but then you start getting into difficult areas. There most certainly will be some peeps receiving valid non-spam messages containing some of the more general terms being used by the spammers.  However, the real big problem is that quite a large %ge of the messages actually contain no specific or relevant text at all just some really innocent text and an image file. In this case there is nothing much to train the filter against unless some form of image recognition is part of the detection process which although possible is pretty unlikely I would suggest.  Training a filter using spam messages containing non-spam orientated text is, at best, useless ... and at worst, counter-productive as it's just as likely to classify the spam as a genuine message.  Just imagine if every spam came with a Subject: Plusnet Newsletter or Micro$oft Update Notification or whatever and simply contained an image file.  No amount of filtering on anything other than sender IP and/or black/whitelists would have any useful effect at all.

I'm not saying it doesn't or can't work at all just that I don't think it can ever be that good or accurate, particularly over a wide user base, unless the messages are very specific with limited variations. If/when I end up setting up a Bayesian filter and all the other techniques myself then it will be very interesting to see just how accurate it actually turns out when used in anger.  I have several 10's if not a few 100's GB of archived data - I can train my filter with EVERY single genuine message I have received over the last 10 years if I want to and EVERY single spam message I have received since this nonsense first started on 13th May.  You can't get much better than that in terms of relevant data for training but I still don't think I would expect 100% accuracy and I would certainly expect the d@mn spammers to be at least one step ahead of just about anything I try to do to limit the nuisance :(

Filtering and other spam detection is not a solution to the problem IMHO, I see it more as a means of providing a limited amount of relief whilst the problem is being resolved properly.  Unfortunately, I don't think anyone actually is trying to resolve the problem at all and I'm not really sure if it can truly be resolved either TBH. I do think that a lot of users have an unrealistic expectation of what filtering etc. can achieve though. Whilst I'm sure that whatever PN are actually doing could be better (not a criticism as such, just that anything can always be improved if only by a small amount) it's never going to be 100% accurate for 100% of the users 100% of the time no matter what.

What I really want to know is what service providers in general (and PN in particular) are actually doing to try to cure the disease rather than simply mask the symptoms ;)


Title: Re: Training spam filter - any point?
Post by: mark on June 07, 2007, 11:11:46 am
Personally I've given up forwarding emails to the filter since it does not appear to work. :-(
It's still not tagging messages sent through open relays, spamvertising web sites hosted all by the same company.  These spams don't contain images or anything else difficult but with the common spam keywords previously mentioned on many similar threads.

Why is the filter not working?


Title: Re: Training spam filter - any point?
Post by: mikeb on June 07, 2007, 01:02:53 pm
>>Why is the filter not working?

Open Relays (blacklists): Not every message sent via a so-called open-relay is by definition spam. PN servers quite often get onto these DB's for reasons various and likewise other genuine senders. Blacklists that are 'user' generated are also quite likely to contain erroneous information - either due to stupidity or even by deliberate action to disrupt mail.

Spamvertising Companies: Exactly my point earlier - most if not all the current sites are apparently registered by the same people at the same few registrars using the same DNS and so on.  However, spam detection almost certainly wont be spotting that as only a detailed whois enquiry will reveal the connection between various messages.  Likewise with the DNS entries for the sites and likewise with the sender IP's. It should be noted that a lot of the whois info may well be bogus of course.  However, these aspects could be tackled and dealt with by those responsible for providing the various services but ONLY if they take their responsibilities seriously.  It would appear they do not. 

Frequent Changes: Site names, DNS entries, message content, sender IP and just about everything else changes at least daily in most cases.  I don't think I have received more than one copy of the same spam at my various accounts/mboxes to date except for when the Bcc: trick has been used. Every spam is different in one or more ways therefore making detection anything but as straight-forward as it first seems.  The spammers have a vested interest in avoiding detection and they're not ever going to make it easy.  Spam detection is just like virus detection - always at least one step behind the b*ggers causing the problems. More than a few peeps have to experience any new stuff before steps can be taken to try to prevent it getting through.

Keywords: One man's spam is another man's Sunday roast ! Whilst I defo do not want CERTAIN accounts or mboxes to receive messages containing references to genitalia various, the practicalities of using said genitalia, weight loss, performance boosters, advertising for various adobe products or indeed any software/pharmacy products at all for that matter, that most certainly does not apply to all my accounts or mailboxes.  Apart from anything else, I receive messages from the Adobe [products various] mail lists and groups etc. so filtering on that keyword in particular would defo lose me far more valid messages than spam messages. In some instances I would want the filter to err on the side of rejecting possibly valid messages whereas in other instances I would want the filter to err on the side of accepting possibly spam. This is the main reason why spam detection/filtering is not a one-size-fits-all product IMHO.

Global non-spam training: Not all messages are used, not all messages will be useful in any case and not all messages forwarded will be 100% spam. Once again, one man's spam is another man's Sunday roast and all that.  Also, I would not personally be happy sending copies of any of my private mail to an ISP or anywhere else for that matter in order to train a filter to accept it as genuine.

Whitelists: One very good solution to picking out the genuine messages from the (possibly very similar) spam ... but again, not really good for multiple users and is only a sensible thing for a specific user IMO. There is absolutely no way I would personally be even ever-so-slightly happy to submit a whole host of private and valid e-mail addresses to ANYONE in order to hold whitelist for me ... let alone trust PN to keep one !! (Sorry, but I'm sure you can understand that Mr.PN).

If you're not impressed with the PN spam detection/filtering then why not simply do your own ? Any half-decent mail reader will have the necessary facilities built in and if you really must use a reader that doesn't then products such as Mailwasher can do a superb job if set up correctly. You WILL get better results if the filtering is tailored to your own requirements - that I'm quite sure of - but I still say that it wont ever be 100% accurate.  The spamming b*ggers will always be at least one step ahead of you unfortunately :(

OT: Anyone know why whois.Registrar_Various.tld:whois (or whatever) hasn't been working for me recently ? I'm fairly sure that I haven't done anything that could possibly be considered as being 'abuse' but ye olde application that I've always used for manually looking stuff up has recently stopped working for all enquiries to any registrar's DB. All I seem to get now is some form of 'data not found' message.  e.g. looking up plus.com results in 'no match for plus.com' from Network Solutions and eNom but if I go to the website and do the same query then it brings up the details. A right old PITA !


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 07, 2007, 01:19:26 pm
If you're not impressed with the PN spam detection/filtering then why not simply do your own ? Any half-decent mail reader will have the necessary facilities built in and if you really must use a reader that doesn't then products such as Mailwasher can do a superb job if set up correctly. You WILL get better results if the filtering is tailored to your own requirements - that I'm quite sure of - but I still say that it wont ever be 100% accurate.  The spamming b*ggers will always be at least one step ahead of you unfortunately :(

I'm reaching that conclusion - could you explain how I could go about setting this up on the personal domain hosted by Plusnet for my daughters mail which she will be accessing by webmail. I've a sneaky suspicion that the solution is going to involve moving the domain elsewhere which is something I don't have the time to sort out right now!


Title: Re: Training spam filter - any point?
Post by: mikeb on June 07, 2007, 02:34:25 pm
Own domain - yuk ... and webmail - double yuk :(  I'm by no means anything remotely close to being an expert by any stretch of the imagination but I don't think that's ever going to be easy unfortunately. I also don't think changing hosts would necessarily help either unless another host has a better (for you) generic spam detection/filtering scheme.  The only really obvious and guaranteed solution is a new domain and/or a new address I reckon. 

Mailwasher (or similar) would almost certainly work pretty well for POP3 accessing given time to set it up but it's of no real help if you regularly use webmail. The only possibility that springs to mind would be doing spam detection/filtering on the entire domain regularly, deleting or moving the spam elsewhere and then redirecting all positively confirmed non-spam messages to a specific (and very obscurely named) mbox that can safely be accessed via webmail.  i.e. effectively vetting all messages remotely before they can be seen by a particular user via webmail.  I can't think how you could actually achieve this in practice mind you as I don't think Mailwasher (or similar) can do automatic forwarding.  I'll have a think about it and if I have any bright ideas let you know.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 07, 2007, 02:50:33 pm
If you knew my domain name you would see why I'm so attached to it - and why I'm so cheesed off by the fact that it is now being spammed.

As to webmail. Daughter is at a boarding school - no internet access accept through the schools PC's. The only alternative to webmail is google, hotmail etc.


Title: Re: Training spam filter - any point?
Post by: simonflood on June 07, 2007, 04:05:15 pm
As it is, with a Webmail client (When we have locked down what we want) a "Report Spam" button will be a must have.
Yes! and also a "Not Spam" button for false positives in the spam folder(s).

As I've just reported in the Webmail spam reporting thread (http://usergroup.plus.net/forum/index.php/topic,4828.0.html) there appears to be an available plugin for SquirrelMail called Spam Buttons (http://www.squirrelmail.org/plugin_view.php?id=242) that will provide both of the above buttons.

Perhaps someone from PlusNet can take a look at it and report back.

Simon


Title: Re: Training spam filter - any point?
Post by: simonflood on June 07, 2007, 04:16:04 pm
As it is, with a Webmail client (When we have locked down what we want) a "Report Spam" button will be a must have.

Picking up on the above comment, am I to take it that PlusNet's plan for the future webmail system is "roll their own"?

Hmmm no offence but I'd much rather PlusNet take something that already exists (and I don't currently see why SquirrelMail can't be it) and customise that for their own purposes and update when new versions available.  The problem with writing your own code is that you might introduce more problems than solve.

Simon


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 07, 2007, 05:10:21 pm

See the repeated values of factors used by DSpam in this header:
Quote
Envelope-to: spamtrap@godsell4.plus.com
Delivery-date: Thu, 07 Jun 2007 14:14:51 +0000
Received: by pih-sunmxcore16.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1HwIlC-0005IJ-Bb
     for spamtrap@godsell4.plus.com; Thu, 07 Jun 2007 14:14:48 +0000
X-Daemon-Classification: INNOCENT
Received: from nmail166.tickle.com ([130.94.250.166] helo=ringotouch5.ringo.com)
     by pih-sunmxcore16.plus.net with esmtp (PlusNet MXCore v2.00) id 1HwIl6-0004pN-C8
     for sw@godsell4.plus.com; Thu, 07 Jun 2007 14:14:42 +0000
Received: from ringo14.tickle.com (www.ringo.com [130.94.250.39])
     by ringotouch5.ringo.com (Postfix) with ESMTP id CFAB78F5C56
     for <spamtrap@godsell4.plus.com>; Thu, 7 Jun 2007 07:15:01 -0700 (PDT)
Message-ID: <158406219.1181225701845.JavaMail.ringo@ringo14.tickle.com>
From: MASARI BELLO <masaribello15@indiatimes.com>
To: spamtrap@godsell4.plus.com
Subject: MASARI has sent you an e-card!
Mime-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----=_Part_108838_158403254.1181225701844"
X-Original-Recip: spamtrap@godsell4.plus.com
Accreditor: Habeas
X-Habeas-Report: Please report use of this mark in spam to <http://www.habeas.com/report/>
X-Originating-IP: 41.205.176.12
Date: Thu, 7 Jun 2007 07:15:01 -0700 (PDT)
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Jun 7 14:14:47 2007
X-DSPAM-Confidence: 0.6370
X-DSPAM-Improbability: 1 in 176 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
     knows+your, 0.00610,
     knows+your, 0.00610,
     <span+style, 0.99000,
     Subject*an+e, 0.99000,
     BELLO, 0.99000,
     BELLO, 0.99000,
     11px+font, 0.01741,
     family+arial, 0.02171,
     Received*Thu+7, 0.02817,
     Avoid, 0.03126,
     Avoid, 0.03126,
     Received*(Postfix)+with, 0.03272,
     will+need, 0.03407,
     Received*(Postfix), 0.03536,
     on+behalf, 0.04933,
     on+behalf, 0.04933,
     sans+serif, 0.05080,
     arial+helvetica, 0.05196,
     serif, 0.05238,
     11px, 0.05543,
     Content-Type*text/plain+charset=utf, 0.05597,
     size+11px, 0.05630,
     behalf+of, 0.05685,
     behalf+of, 0.05685,
     here+To, 0.06213,
     was+sent, 0.06675,
     was+sent, 0.06675

Why the double counting? :( Is there are good reason PN can explain to the great unwashed for this to be sensible? Or should I just lose all faith in DSpam?

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on June 07, 2007, 09:47:16 pm
If you knew my domain name you would see why I'm so attached to it - and why I'm so cheesed off by the fact that it is now being spammed.

Believe me, I can well understand. I'm pee'd off enough with getting bucket loads of the stuff now despite being spam free for 10 years and being faced with (or at least ultimately will be faced with) having to abandon all addresses of the form My_Real_Name@My_Account.plus.com and similarly for other family names or specific very relevant addresses.  If PN had compromised a domain name of mine as well then I'm really not sure that I could be any more annoyed than I already am but I would certainly try to be ! 

Nothing p*sses me off more than seeing comments along the lines of "spam is a reality of life" or "just change your address it's not that big a deal" or whatever from PN and other peeps trying to play the problem down.  Spam is not a reality of life and it is not something that everyone has to cope with.  It is something that (in general) the careless, plain stupid or just genuinely unlucky people have to deal with.  With reasonable care, spam can be and has been avoided by many people for a very long time despite them freely using their e-mail addresses all over the place.  Having said all that of course, the only guaranteed solution after getting compromised probably is to abandon the domain/account/name and start all over again, unfortunately, because the problem can only get worse rather than better. An old F9 e-mail address that was mysteriously compromised a few years back gets at least an order of magnitude more spam now than the recently compromised ones and that's just random type spam rather than the current spam-bot variety.  This is especially so in my mind because no one appears to actually be trying to deal with the problem - all anyone is doing is trying to hide it.  Not good in the slightest and certainly not good at all if you have a long-standing account or 'valuable' domain name :( 

However, there must be some reasonably easy way of redirecting pre-filtered stuff from one A/C or mbox to another mbox for viewing and even if there isn't then I'm quite sure that some clever b*gger could easily write the appropriate bit of code.  When I get the chance I will be having a good old look round for such a bit of code as it's something that I could probably find very useful to solve a similar problem I have with not wanting one particular mbox to receive anything even remotely dodgy.


Title: Re: Training spam filter - any point?
Post by: mikeb on June 08, 2007, 01:28:21 pm
Right then, I've had a good poke around in Mailwasher and a bit of search over night for similar apps but I can't find anything so far that can also redirect mail elsewhere unfortunately :(  A bit of a b*gger really because MW or a decent mail reader with similar functions would be absolutely ideal if you could add a final rule to redirect all the positively confirmed non-spam stuff automatically after de-spamming the main account.  I did see a few references to Outhouse and Thunderbird plug-ins that imply a redirect function (and presumably they also have some form of spam or other message filtering ability) but I don't use either of these myself so I'm not really able to investigate. I've always used Agent which has no end of message handling facilities and de-spam features although I still only use ye olde stylee message filtering at the mo.  Sadly, Agent doesn't appear to have a redirect function either.

However, I have found what looks to be a very useful utility for redirecting mail from any account/mailbox to another though: Mail Redirect V2.1 clicky for linky to website. (http://www.helexis.com/products/mail_management)  Messages are redirected 'properly' rather than just being forwarded or whatever i.e. the complete existing message headers are retained intact (except for the original Delivery-Date and Envelope-To) and the redirect routing etc. is added correctly. This means that to all intents and purposes the message went directly to the redirect address so can be viewed and replied to as normal.  It seemed to work really well when I had a play with it and it's free for a single redirect or $20(ish) for unlimited use.

I hope I'm not teaching granny to suck eggs here but assuming that Miss.Jelv isn't old enough to just consider the dodgy spam as 'a bit sick but more amusing than offensive' I would have set up a new mailbox for her by now and totally prevented access to the old one. If she's accessing mail at a friends place, school or other public place then the offensive spam could also be setting off alarm bells should there be any traffic monitoring going on as well of course.  I totally understand the issues with changing Real_Name@ addresses but maybe there is an abbreviated/extended name or nickname she could use instead ? - at least until a better solution to preventing the dodgy stuff getting through can hopefully be found.  If she can advise relatives, friends and other current contacts to use the new address then at least you can be reasonably certain for now that she wont be seeing any of the dodgy stuff.

You can then setup something like MW (or your normal POP3 reader if it has the facilities) to remove the spam from the original mbox. Initially this would have to be a manual process so you could check it but hopefully once trained it could be set as a background task to filter and delete automatically once you are completely happy with the results. Same goes for your other mboxes of course. If there was a redirect function then it would be real easy to simply redirect any confirmed non-spam messages sent to the old name@ but sadly this isn't possible. You could however automatically 'bounce' any genuine messages (NOT the spam) so at least the sender would get some form of notification of a problem and hopefully make contact by other means. You could of course DL the messages and reply yourself with a standard and short "please use xxxx@ address instead" message or you could use Mail Redirect to redirect the messages to the new address so Miss.Jelv could reply as normal and tell them to use an alternative address in future. There is obviously a slight problem with the MW and MR not being synchronised though so it's not 100% fool-proof unfortunately. There is also, no doubt, a 'problem' with Miss.Jelv being far from happy with you accessing her private mail I would guess but hopefully she will understand ( or at least can be suitably bribed to understand  :-D ) that it's only a short-term thing !

I really can't see any easy solution so far though and I feel really sorry for users who have had their children's addresses compromised by PN.  It must be a complete nightmare.  I certainly wouldn't ever rely on PN (or any other service provider for that matter) to ensure that my kids wouldn't receive some of the ever increasing amount of dodgy stuff that's for sure. I would see the only plausible solution as a new name@ ASAP regardless of the nuisance factor and any other considerations. Not good and not what you want to hear and all that but if you're stuck with using webmail then I really don't see any alternative ... other than running your own mailserver etc. which is whole new can of worms to discover !





Title: Re: Training spam filter - any point?
Post by: godsell4 on June 08, 2007, 02:42:27 pm

jelv, looks like running your own e-mail server, then training your own spam filter may be an option. An ArgoSoft Pro system may do what you want at a cost of $88, I have not used this, but I am considering giving it a try. Details @ http://www.argosoft.com/rootpages/MailServer/Compare.aspx

SW.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 08, 2007, 07:21:49 pm
You couldn't make it up! Linky (http://portal.plus.net/central/forums/viewtopic.php?p=428359#428359)

Quote
There was this guy (well, me actually) who received some spam that Plusnet had not managed to identify as such.

So he forwarded it to spam@despamchecker.plus.com like he's supposed to, and like he's always done before.

Then he got a mail from Plusnet saying that his post to spam@despamchecker.plus.com could not be delivered, because the message contained spam (well, doh?)

And to cap it all, that mail from Plusnet was flagged as SPAM (because it had spam in it) and placed in the SPAM folder, so it wasn't discovered until the daily check via Webmail.

Anybody top that?


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 09, 2007, 10:29:45 am

Here is one today that it let through and did not mark as SPAM, of course MegaDick in the subject is not enough ... and then see the other junk it thinks is significant?

Quote
Envelope-to: spamtrap@godsell4.plus.com
Delivery-date: Fri, 08 Jun 2007 15:12:07 +0000
Received: by pih-sunmxcore17.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1Hwg8F-0006s5-4B
     for spamtrap@godsell4.plus.com; Fri, 08 Jun 2007 15:12:07 +0000
X-Daemon-Classification: INNOCENT
Received: from p57ab04d3.dip0.t-ipconnect.de ([87.171.4.211])
     by pih-sunmxcore17.plus.net with smtp (PlusNet MXCore v2.00) id 1Hwg8E-0006m4-94
     for spamtrap@godsell4.plus.com; Fri, 08 Jun 2007 15:12:06 +0000
Message-ID: <001a01c7a9ef$3713a260$0670b6dc@NaS>
From: Eliza Fraser <tmulethal@pointfive.com>
To: spamtrap@godsell4.plus.com
Subject: MegaDik has been labeled a "Herbal Breakthrough" with over 1,500,000 bottles sold worldwide.
Date: Fri, 8 Jun 2007 17:05:28 +0200
MIME-Version: 1.0
Content-Type: text/plain;
     charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.4682
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.181
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri Jun 8 15:12:07 2007
X-DSPAM-Confidence: 0.5644
X-DSPAM-Improbability: 1 in 131 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
     Received*Jun, 0.00181,
     Date*8, 0.00987,
     will+notice, 0.01000,
     an+increase, 0.01000,
     Date*2007, 0.99000,
     Received*ipconnect.de, 0.99000,
     Subject*000, 0.01000,
     Subject*over, 0.01000,
     Subject*worldwide., 0.99000,
     Date*Fri+8, 0.01605,
     Subject*1, 0.06348,
     Date*17+05, 0.07142,
     Date*Jun, 0.07580,
     Received*Fri+08, 0.07760,
     Content-Type*1250", 0.90165,
     Content-Type*charset="windows+1250", 0.90165,
     Content-Type*charset="windows, 0.87976,
     notice, 0.18123,
     of+up, 0.18605,
     inches, 0.81198,
     size, 0.20579,
     X-Mailer*Express, 0.79189,
     X-Mailer*Outlook+Express, 0.79189,
     3, 0.20993,
     X-Mailer*Microsoft+Outlook, 0.76599,
     X-Priority*3, 0.75925,
     Subject*with, 0.75569

:(


Title: Re: Training spam filter - any point?
Post by: NB on June 09, 2007, 11:11:52 am
In fairness I should say that the spam filter has correctly identified 99% of the spam I have received, and though it has missed the odd one, it hasn't incorrectly marked any legit e-mails of mine as being spam.


Title: Re: Training spam filter - any point?
Post by: simonflood on June 10, 2007, 11:40:39 pm
In fairness I should say that the spam filter has correctly identified 99% of the spam I have received, and though it has missed the odd one, it hasn't incorrectly marked any legit e-mails of mine as being spam.

For some reason the spam filter persists in thinking that e-mails sent from my work e-mail address to a couple of PlusNet mailboxes are spam when they're most definitely not.  I've now forwarded 5 different e-mails to the notspam training address but don't hold out much hope of it ever getting it right (since after 4 forwarded messages it got the 5th one wrong!).  It wouldn't be so bad but of course the subject line gets munged with [-SPAM-] prefixed to it which can kind of confuse recipients!

Other than that the majority of spam messages are correctly getting marked as spam though you wonder why the few that don't are missed.

Simon


Title: Re: Training spam filter - any point?
Post by: poppy on June 13, 2007, 06:39:18 am
I have recently received e-mails marked spam from F9 users/addresses and a genuine aol one. Have forwarded them on to despamchecker but had to forward the whole e-mails as they were within webmail, not OE.


Title: Re: Training spam filter - any point?
Post by: mark on June 13, 2007, 11:01:42 am
The filter does seem to be improving.  However I am still getting a few through that should be tagged IMHO.


Title: Re: Training spam filter - any point?
Post by: godsell4 on June 27, 2007, 12:32:11 pm
OK, we seem to have had a couple of weeks where it was pretty good. Now I am starting to get 2 or 3 a day that are getting through without being marked SPAM.

The most recent can be seen here, where SpamCop knew this was via an open relay. See here (http://www.spamcop.net/sc?id=z1339111435z48097d179fd9190f3c16516f53ad691fz).

The e-mail subject was "intensified orgasms, rock hard erections, powerful ejaculations and enhanced fertility", I'd say DSPAM should have spotted that one. :(

Now, what did DSPAM use as criteria? Well ...
Quote
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Jun 27 02:49:28 2007
X-DSPAM-Confidence: 0.6150
X-DSPAM-Improbability: 1 in 161 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
     Date*Jun+2003, 0.00667,
     Received*0400, 0.00768,
     Received*22+0400, 0.00987,
     Date*27+Jun, 0.01000,
     Received*2003, 0.99000,
     Subject*erections, 0.99000,
     Subject*orgasms, 0.99000,
     Subject*enhanced, 0.99000,
     Received*Wed+27, 0.02161,
     Received*45+22, 0.02432,
     Date*22+0400, 0.02550,
     Date*2003, 0.02588,
     Received*27+Jun, 0.02826,
     Received*27+Jun, 0.02826,
     Received*45, 0.04113,
     Date*0400, 0.04222,
     via, 0.05650,
     Received*02+45, 0.05966,
     Received*Fri+27, 0.08158,
     Received*2007+02, 0.91302,
     Please, 0.08870,
     Date*Fri+27, 0.10420,
     Received*28, 0.10907,
     will+receive, 0.11776,
     Received*27, 0.12274,
     Received*27, 0.12274,
     via+our, 0.13527

Why are so many items listed TWICE ?

SW.



Title: Re: Training spam filter - any point?
Post by: jazz on June 27, 2007, 05:03:42 pm
I agree with godsell that the spam filters seemed to work very well at first but have recently let a lot more through. By about a week ago I was receiving no spam that wasn't marked.  I have only had one email (from Amazon) marked as spam when it shouldn't have been.  However, this week I have been getting 2 or 3 spam mails each day that have not been picked up and marked by the filter even though the subject line makes the content obvious.  I'm sorry that things seem to be going backwards a bit at the moment because I think PlusNet have generally done a pretty good job with the spam filters.


Title: Re: Training spam filter - any point?
Post by: Oldjim on June 27, 2007, 10:41:30 pm
Yes things are getting through
Quote
Date: Wed, 27 Jun 2007 16:52:27 -0500
From: Clay Jean <ahoggardmtos@nameblvd.com>
Reply-To: Clay Jean <ahoggardmtos@nameblvd.com>
Message-ID: <910170857720.014674966511@nameblvd.com>
To: <postmaster@username.plus.com>
Subject: What is the dosage guideline for Wondercum?
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Jun 27 21:20:49 2007
X-DSPAM-Confidence: 0.5629
X-DSPAM-Improbability: 1 in 130 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
   Received*Jun, 0.00181,
   Received*Wed+27, 0.00359,
   Date*27+Jun, 0.01000,
   an+experience, 0.01000,
   Subject*is+the, 0.99000,
   Received*27+Jun, 0.01000,
   Date*2007, 0.99000,
   other!, 0.99000,
   Received*H2, 0.01000,
   experience+like, 0.01000,
   Received*postmaster, 0.97335,
   Received*for+postmaster, 0.97335,
   Date*Jun, 0.07580,
   Date*16+52, 0.91503,
   like+no, 0.15509,
   Subject*What, 0.16409,
   Content-Type*8859+1", 0.19177,
   Content-Type*1", 0.19177,
   like, 0.19958,
   experience, 0.76453,
   Content-Type*8859, 0.24983,
   Content-Type*charset="iso, 0.25539,
   Content-Type*charset="iso+8859, 0.25573,
   Date*16, 0.27444,
   Received*21, 0.70717,
   Received*smtp+(PlusNet, 0.69723,
   Url*plus, 0.31359
Why isn't this marked as spam - anything with wondercum in the subject or text should automatically be spam


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 28, 2007, 09:02:43 am
I'm wondering if it only analyses on the first few words of the subject - why else should wondercum not appear in the X-DSPAM-Factors?


Title: Re: Training spam filter - any point?
Post by: mikeb on June 28, 2007, 10:47:06 am
It may or may not be down to the PN spam filtering from what I've seen on my A/Cs. I have all spam options disabled and the week before last (10th - 16th June), the volume of spam received as a direct result of the compromised addresses (which had been climbing steadily) suddenly reduced by around 50%.  Random spam during the same period actually increased very slightly.  Last week and so far this week, it's back on the upward trend again.

IMHO, this can only mean one of two things happened during that week.  Either the spammers weren't sending the crap out or the PN filtering on receipt had been tweaked so it was perhaps over-aggressive.  Whilst reducing spam received is a good thing, I suggest 'perhaps over-aggressive' because I'm fairly sure that I also saw a few peeps on forums various complaining about not receiving genuine mail that they knew had been sent during the same week. 

Can PN confirm or deny whether the first-line filtering had been tweaked (or had some problem) for that week and this was subsequently corrected ... or was it just co-incidence ?


Title: Re: Training spam filter - any point?
Post by: Oldjim on June 28, 2007, 10:16:50 pm
this is getting silly
Quote
X-Daemon-Classification: INNOCENT
Received: from bhe200150026243.res-com.wayinternet.com.br ([200.150.26.243])
     by pih-sunmxcore17.plus.net with smtp (PlusNet MXCore v2.00) id 1I3yZs-0002GE-N4
     for ****.plus.com; Thu, 28 Jun 2007 18:18:49 +0000
Message-ID: <001101c7b996$bc293a80$00ac8b44@internet05>
From: Maricela Ward <jksexiped@homegodos.com>
To: ****.plus.com
Subject: US $ 159.95 buy now Viagra 100mg x 90 pills
Date: Thu, 28 Jun 2007 15:12:25 -0300
MIME-Version: 1.0
Content-Type: text/plain;
        charset="windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.2969
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.1106
x-open-relay: 200.150.26.243 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Jun 28 18:18:50 2007
X-DSPAM-Confidence: 0.5148
X-DSPAM-Improbability: 1 in 107 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
   Received*for+james, 0.00075,
   Received*james, 0.00075,
   To*james, 0.00109,
   Received*Jun, 0.00181,
   Received*Thu+28, 0.00235,
   Subject*buy, 0.99000,
   Date*2007, 0.99000,
   Subject*pills, 0.99000,
   Date*28+Jun, 0.01000,
   Subject*US, 0.01000,
   Subject*90, 0.01000,
   Received*28+Jun, 0.01000,
   Subject*$, 0.99000,
   Date*12+25, 0.99000,
   pills, 0.99000,
   Date*25+0300, 0.99000,
   90, 0.07124,
   Date*Jun, 0.07580,
   Content-Type*charset="windows+1251", 0.91201,
   Content-Type*1251", 0.91201,
   Content-Type*charset="windows, 0.87976,
   Date*0300, 0.86731,
   x-open-relay*is, 0.84924,
   x-open-relay*a, 0.84924,
   x-open-relay*black+list, 0.84924,
   x-open-relay*list, 0.84924,
   x-open-relay*bl.spamcop.net, 0.84924
Why wasn't viagra picked up and why didn't the black listed open relay trigger the spam filter
Quote
X-Kaspersky: MailDispatcher
X-Kaspersky: Original server data starting here: +OK 2163 octets follow.
Envelope-to: postmaster@***.plus.com
Delivery-date: Thu, 28 Jun 2007 17:21:08 +0000
Received:  by pih-sunmxcore19.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1I3xg3-00008t-OB
     for postmaster@***.plus.com; Thu, 28 Jun 2007 17:21:08 +0000
X-Daemon-Classification: INNOCENT
Received: from user-12ld39i.cable.mindspring.com ([69.86.141.50])
     by pih-sunmxcore19.plus.net with smtp (PlusNet MXCore v2.00) id 1I3xg2-00005w-QW
     for postmaster@***.plus.com; Thu, 28 Jun 2007 17:21:07 +0000
Message-ID: <000f01c7b986$2dd553a0$001ad324@wavexp>
From: Carroll Bentley <fulchromometer@pptorrelodones.com>
To: postmaster@***.plus.com
Subject: Price for Viagra (Sildenafil) 50mg x 10 pills US $ 59.95
Date: Thu, 28 Jun 2007 13:13:54 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1158
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Jun 28 17:21:07 2007
X-DSPAM-Confidence: 0.4982
X-DSPAM-Improbability: 1 in 100 chance of being spam
X-DSPAM-Probability: 0.8051
X-DSPAM-Factors: 27,
   Received*Jun, 0.00181,
   Received*Thu+28, 0.00235,
   Subject*Price, 0.99000,
   Date*54+0400, 0.99000,
   Date*2007, 0.99000,
   Subject*10, 0.01000,
   Subject*pills, 0.99000,
   Received*from+user, 0.99000,
   Date*28+Jun, 0.01000,
   now+This, 0.01000,
   Subject*US, 0.01000,
   Received*28+Jun, 0.01000,
   Subject*$, 0.99000,
   pills, 0.99000,
   To*postmaster, 0.99000,
   Received*postmaster, 0.97335,
   Received*for+postmaster, 0.97335,
   Date*13+54, 0.02728,
   90, 0.07124,
   Date*Jun, 0.07580,
   Content-Type*8859+1", 0.19177,
   Content-Type*1", 0.19177,
   X-Mailer*Express, 0.79189,
   X-Mailer*Outlook+Express, 0.79189,
   X-Mailer*Microsoft+Outlook, 0.76599,
   Date*13+13, 0.23901,
   X-Priority*3, 0.75925
Again why wasn't viagra picked up





Title: Re: Training spam filter - any point?
Post by: Matt_2k34 on June 29, 2007, 02:06:02 pm
maybe someone is sending spam emails to the non-spam adddress ? afterall its suspected the leak was an inside job ?


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 29, 2007, 02:24:53 pm
afterall its suspected the leak was an inside job ?

Pardon? Where on earth did you get that idea from?


Title: Re: Training spam filter - any point?
Post by: Matt_2k34 on June 29, 2007, 02:29:50 pm
i cant remember where but i seem to remember reading PN were worried the leak of persons details came from within PN - dont quote me on that tho :-) ...

We got all the huff of what happened - and all the aftermath now.. but we *still* dont know what *actually* happened do we ?

its just "best guess" and now "head down and deal with it" mentality imho :-(

*edit* well.. a mentality similar to that of the 2/3 hours power outage 12-18 months ago.


Title: Re: Training spam filter - any point?
Post by: jelv1 on June 29, 2007, 02:34:47 pm
Have you read http://community.plus.net/comms/2007/05/23/webmail-incident-report/ ?


Title: Re: Training spam filter - any point?
Post by: Matt_2k34 on June 29, 2007, 02:45:34 pm
Quote
b.When did it happen?
Our investigations have shown that the exploit was initiated at around 17:30 on the evening of Friday the 4th May, 2007. Customers started receiving spam on the evening of Sunday, 13th May 2007.

Quote
Why did it happen?
A vulnerability within our implementation of Webmail code in our portal was discovered and used by malicious attackers.

Our subsequent investigations found a number of vulnerabilities with our implementation of the Atmail application, including the vulnerability which had been exploited. This led to the decision we took to stop using the software entirely.

Says to me it *shouldnt* of happened :-(

as its been said before PN is taking a re-active rather than their old "pro-active" stance to problems and issues

Quote
Created a dedicated PlusNet security team which is formally responsible for all aspects of data and software security on our platform

There wasnt one before ? - a company of this size *didnt* have someone / a group to take care of security ?

Quote
We were not aware that customer email addresses had been obtained illegally at this point.

A week in an PN "werent aware" surely an attack on a mail platform should have *any* eventuality investigated fully? PNs is used by many people - and it didnt presume e-mails would have been farmed ?

it is disappointing, and yep, that report still can't "Point the finger" :-(  -- and cant offer any help as its *way* to late to do anything about it :-(


Title: Re: Training spam filter - any point?
Post by: mbeckett on June 29, 2007, 02:57:41 pm
The attack did not originate from within PlusNet, we have made it clear that we are unaware of who is responsible but that there is a criminal investigation ongoing, from the incident report:

This has been the subject of a criminal investigation, which means we are not in a position to share all of the details which we are aware of. However, the timing of the attack and the sophistication of the exploit indicates a considerable amount of planning and expertise. The code was written in Russian and was of high quality.

I understand the frustration caused, and you're right in saying that it shouldn't have happened, but it did, and we are doing all we can to rectify the situation for all involved.

We're discussing the spam filtering internally, and taking any action possible to reduce the amount of spam which gets through, but rejecting or tagging mail based on a word in the body/title is a very aggressive way of doing this, and not something we really want to start implementing (imagine the 'debate' as to what keywords should be used).


Title: Re: Training spam filter - any point?
Post by: Matt_2k34 on June 29, 2007, 03:01:44 pm
yes-  and i can understand the frustration it is causing You - The PN staff...

But id like to know who was responsible for security before this incident? -- re-reading that report (cheers jelv) has been a little bit of an eye opener...

Other than that, the mail plaform is going to take a hammering, fortunately the timing wasnt earlier (on the old platform) as i dont think if that were the case PN would have sorted it yet.  :-)


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 03, 2007, 01:45:35 pm

Back onto the subject of the SPAM filter training.

I strongly believe PN needs to start retraining the SPAM filter, I recall, perhaps incorrectly, there was a problem with the initial training of DSpam, i.e. it was trained with junk and started many false positives.

I have two reference points that suggests, the filter can work better than it is at the moment.

[1] My GoogleMail and Yahoo mail are pretty much 100% accurate. I have maybe 2 or 3 days per month where I get 2 or 3 messages. Thats all.
[2] The messages that DSpam does not mark [-SPAM-] but clearly are, are always correctly detected by JunkMatcher (a MacOS bayesian filter) running on my machine at home.

Maybe PN should start to train their own filter again, maybe not the one that is live at the moment, and then when it is working for it to 'go live'.

SW.


Title: Re: Training spam filter - any point?
Post by: johnny on July 05, 2007, 11:14:56 pm
Just thought I'd mention that the spam filtering seems to be doing nothing at all for me. Spam Protection is on and yet today I received 3 blatant spam emails to my catchall address, 4 to my main mailbox and 3 to another mailbox I have.

More worryingly, since the new [-SPAM-] tagging system was introduced whereby such tagged emails are delivered to Inbox.SPAM and viewable by webmail/IMAP, not a single email has been tagged as such or moved to Inbox.SPAM in either mailbox. This leads me to believe that, for me at least, nothing is being tagged as Spam and it's all just pouring through!?!

I've just switched off the catchall address on my account so I'll see if that helps. I have to say that since joining PlusNet in November 2005 they have been the worst ISP for spam I've ever used, but such is life, it's just email, nobody died etc etc/


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 06, 2007, 03:27:38 pm

E-mails are now getting 2 sets of DSpam headers added to them. Is this expected?

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 07, 2007, 11:06:07 am
It may or may not be down to the PN spam filtering from what I've seen on my A/Cs. I have all spam options disabled and the week before last (10th - 16th June), the volume of spam received as a direct result of the compromised addresses (which had been climbing steadily) suddenly reduced by around 50%.  Random spam during the same period actually increased very slightly.  Last week and so far this week, it's back on the upward trend again.

IMHO, this can only mean one of two things happened during that week.  Either the spammers weren't sending the crap out or the PN filtering on receipt had been tweaked so it was perhaps over-aggressive.  Whilst reducing spam received is a good thing, I suggest 'perhaps over-aggressive' because I'm fairly sure that I also saw a few peeps on forums various complaining about not receiving genuine mail that they knew had been sent during the same week. 

Can PN confirm or deny whether the first-line filtering had been tweaked (or had some problem) for that week and this was subsequently corrected ... or was it just co-incidence ?

I don't see any PN comment on this point :(

Also, it is looking rather like there is going to be around a 100% increase on targeted spam (i.e. spam sent solely to the compromised addresses) this week (1st - 7th July), bringing the totals more or less back to the previously predicted levels.  Random spam is looking like being similar to if not a little less than expected over the same period. Is there anything that PN have or have not been doing that could account for this ... or is it just co-incidence once again ?  I guess it probably explains the recent mail queues that formed if nothing else !! but it is interesting to note from service.status that recent changes to the mail platform were in fact rolled back which implies that there might be some connection.

I would appreciate some 'official' comment as to whether there is or is not anything known about that could explain these sudden and quite large changes in the level of targeted spam received.  I'm not that interested in debating the ins and outs of anything PN may be doing (unless I have anything particularly constructive to suggest) but I do want to understand what is going on.  Note that I have spam filtering DISABLED so the only PN action that could possibly affect the level of spam I receive is any changes made to spam detection/filtering that results in silent deletion on receipt.

Edited to add: Quicky graph to show the volume of spam received per week.  Black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Please note that the figures for WK8 are currently estimated and will be updated at midnight tonight with actual figures.  I still haven't received any spam whatsoever to any addresses or mailboxes other than those specific addresses and mailboxes which were compromised in the webmail incident.

(http://www.twowheels.force9.co.uk/TEMP/spam1.jpg)


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 09, 2007, 12:12:08 pm

Have there been changes to ClamSpam made in the last 24 hours?

Either ClamSpam has changed, or the information it uses from RBL and such like has changed, it seems to be getting all the Wonder*** and MegaD*** messages at the moment. :)

Good News!

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 10, 2007, 10:18:22 am

Nope, just a blip it seems, to compromised mailbox I had 3 messages for male appendage enhancing drugs.

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 10, 2007, 10:20:22 pm
I would appreciate some 'official' comment as to whether there is or is not anything known about that could explain these sudden and quite large changes in the level of targeted spam received.

Sooooooo, I return from a few v.nice days away damaging my hearing a  bit more with some most excellent v.loud music and perhaps the occasional beverage (or six) to a v.well stuffed mailbox that offers to cure almost all the inevitable problems of my excesses :D Yaaaay !, the old interwebthingy has a solution for all of life's little problems doesn't it :P ... but still no comment from Mr.PN, unfortunately :(

Erhm, maybe we could start with a real simple YES or NO and take it from there ?


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 13, 2007, 03:13:15 pm
Come on folks, all the unmarked SPAM I had this morning came via known open relays according to SpamCop. See an example SpamCop report for one of them here (http://www.spamcop.net/sc?id=z1357562689z54fa834807a85f8102d63e3e23f511c8z).

:(

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 15, 2007, 12:47:13 am
Don't know why I'm bothering really, but just in case anyone does actually give a d@mn and is likely to comment one way or another as previously requested (more than once), here's this weeks data for your info:

(http://www.twowheels.force9.co.uk/TEMP/spam2.jpg)

As before, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). 

First milestone now passed: volume of targeted spam to PN compromised addresses now exceeds the volume of random spam received to all addresses on a very old and previously compromised a/c :(  Second milestone coming up fast ... and then it's decision time on how to effect a satisfactory resolution long term.

I'm getting more than a bit convinced that the apparent lack of any PN response to just about any SPAM related query round here is indicative of known issues and not wanting to own up to problems or whatever. Apologies if that's not the case but seeing what appears to be several cases of blatantly ignoring stuff can only lead people to that conclusion unfortunately :(


Title: Re: Training spam filter - any point?
Post by: quaint1 on July 15, 2007, 09:27:19 am
Mikeb,
I'm pleased you are bothering!  If only to save my own sanity in that my perception of the situation is much like yours.

Please PN, do try and get your spam filter to be much, much more effective.  So many people have made suggestions as to how it can be improved, it is really very dissappointing that you appear to be ignoring the problem completely.

I am convinced that forwarding undetected spam is a waste of time at present!



Title: Re: Training spam filter - any point?
Post by: bpullen on July 16, 2007, 10:33:13 am
I'm getting more than a bit convinced that the apparent lack of any PN response to just about any SPAM related query round here is indicative of known issues and not wanting to own up to problems or whatever.

Mike, I'm not sure what you mean by this. Yes we are aware that there is still a large air of dissatisfaction regarding the spam filtering. The cause though remains the same and we've no reason to believe that there are any wider spread issues. We have been working very hard to implement improvements to the filtering. This morning for example we rolled out the functionality to block on subject line (not as easy as it sounds). We hope that we're now catching all the MegaDik/Wondercum stuff but we'd appreciate feedback on this as looking at the stats very little was caught on the mx.lasts over the weekend.

Quote
Apologies if that's not the case but seeing what appears to be several cases of blatantly ignoring stuff can only lead people to that conclusion unfortunately :(

We are certainly not trying to ignore anything. If you can point me to specific examples of this then I'd be happy to formulate a response.


Title: Re: Training spam filter - any point?
Post by: NB on July 16, 2007, 01:04:48 pm
I think these (from just this page)are some of the questions Mike is referring to:

But id like to know who was responsible for security before this incident? -- re-reading that report (cheers jelv) has been a little bit of an eye opener...
It may or may not be down to the PN spam filtering from what I've seen on my A/Cs. I have all spam options disabled and the week before last (10th - 16th June), the volume of spam received as a direct result of the compromised addresses (which had been climbing steadily) suddenly reduced by around 50%.  Random spam during the same period actually increased very slightly.  Last week and so far this week, it's back on the upward trend again.

IMHO, this can only mean one of two things happened during that week.  Either the spammers weren't sending the crap out or the PN filtering on receipt had been tweaked so it was perhaps over-aggressive.  Whilst reducing spam received is a good thing, I suggest 'perhaps over-aggressive' because I'm fairly sure that I also saw a few peeps on forums various complaining about not receiving genuine mail that they knew had been sent during the same week. 

Can PN confirm or deny whether the first-line filtering had been tweaked (or had some problem) for that week and this was subsequently corrected ... or was it just co-incidence ?

I don't see any PN comment on this point :(

... Is there anything that PN have or have not been doing that could account for this ... or is it just co-incidence once again ?  I guess it probably explains the recent mail queues that formed if nothing else !! but it is interesting to note from service.status that recent changes to the mail platform were in fact rolled back which implies that there might be some connection.

I would appreciate some 'official' comment as to whether there is or is not anything known about that could explain these sudden and quite large changes in the level of targeted spam received. ...


Title: Re: Training spam filter - any point?
Post by: bpullen on July 16, 2007, 02:37:35 pm
To my knowledge nothing was changed at this side that could be attributed to the increase in spam towards the end of June. When I get a little more time though I'll see if I can pull together a list of any configuration changes/roll-outs that did occur during this time.

I personally think that either the volume of spam being sent increased, or the methods or origin of the spam changed meaning that either more spam was being received undetected or less was being deferred at MX level by the blacklists we have in place.


Title: Re: Training spam filter - any point?
Post by: quaint1 on July 16, 2007, 08:11:26 pm
Thanks to Bob for the news that subject line filtering is in place at last. At the very least, it should reduce the more blatently unpleasant spam from getting through even if this  does only marginally reduce the untrapped spam volume.

I am happy to eat my words about PN ignoring the problem. I was wrong and am happy to admit it! :oops:

All I want now is re-assurance that forwarding missed spam is worthwhile.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 17, 2007, 12:13:51 am
To my knowledge nothing was changed at this side that could be attributed to the increase in spam towards the end of June. When I get a little more time though I'll see if I can pull together a list of any configuration changes/roll-outs that did occur during this time.

I personally think that either the volume of spam being sent increased, or the methods or origin of the spam changed meaning that either more spam was being received undetected or less was being deferred at MX level by the blacklists we have in place.


Thanks for the response and if there is anything relevant coming out of your enquires when you get the chance then I will be interested to hear more.

Whilst I'm quite sure you and others are doing whatever you can, it does niggle somewhat when simple questions appear to be being 'overlooked' for lengthy periods of time. Apart from my points regarding the volume received, there are several other users who have asked about dspam headers and so on which similarly do not appear to have received any response.  Likewise, comments in other threads such as those regarding problems being experienced by or comments in relation to users running their own mailserver appear to have remained unanswered for an unreasonably long time.

In the case of my point, the sharp decrease in volume appeared to happen around the time of mail platform changes and reports from other users (not from me) of genuine mail going AWOL. The sharp increase in volume again appeared to happen around the time of mail platform changes and the subsequent rollback of those changes. I too am working on finding a workable solution to this d@mn problem (one that suits me rather than something generic that may not) so it is important that I fully understand what (if anything) is affecting the data I am collecting. I am obviously not aware of what PN are doing on receipt as any action taken there is taken silently. If the dramatic changes are down to PN influences then fine, that's all I need to know and I can treat the data for that period as suspect.  If not then the data can be treated as totally valid and an alternative explanation found. It looks suspiciously like PN influences to me but, like I said, it could just as well be completely coincidental. If it isn't something to do with the PN 1st line filtering being tweaked or simply a natural increase then I would suggest that it is down to the spammers starting to add clearly forged routing headers in most messages. This may well be 'confusing' the 1st line filtering sufficiently enough to accept the message whereas previous messages without these forged headers would have been rejected on receipt.

The points raised by other users regarding dspam keywords/headers do not really interest me particularly as I have spam filtering as disabled as I possibly can.  However, they do raise queries that deserve an answer of some sort rather than apparently being 'overlooked'. For instance, why are obvious keywords such as W*****C** and M***D** not apparently being used ?  Why does the weighting of certain (and very obviously spammy/dodgy) keywords not appear to be *a lot* higher ?  Why are there often multiple occurrences of identical dspam headers in received messages ?  There may be others as well but these do all seem pretty relevant to me for anyone using the PN filtering and tend to indicate that the filtering isn't as good as it could/should be - and for no particularly obvious reason either.

I fully understand the difficulty in trying to filter this crap and have even tried to 'excuse' what could be considered as poor PN performance by some users myself. But it does strike me as quite wrong and pretty unacceptable that certain *very* obvious keywords are (maybe that should be were ?) not being picked up and the messages continue to be delivered.

As for the new additional filtering on receipt - I read a report on it somewhere but I'm b*ggered if I can find it now ! - I'm not sure if I'm pleased or concerned.  Definitely pleased in as much as anything that reduces 100% guaranteed spam is always a *very* good thing ... but somewhat concerned at the increased potential for genuine mail being lost or rejected due to over-aggressive filtering. This was my main concern for what was happening the few weeks beginning 10th June when volume reduced significantly. I have little or no intention of ever using PN spam filtering just so long as there is an option not to as I would much prefer to do my own thing.  I believe that this will be the better and more reliable option for me. However, any filtering that happens 'on receipt' is completely outside of my control and in principle I will have no idea of what if anything has been silently deleted. Absolutely fine if it's always 100% accurate of course but difficult to say the least to guarantee anything close to that !

I know from personal experience that significant quantities of genuine mail goes missing, is rejected or is incorrectly tagged "spam" with other service providers (hotmail, yahoo, freeserve and aol to name just a few) due to their over-aggressive filtering and therefore any 1st line filtering or whatever that PN introduce by default concerns me greatly. The day I start losing genuine mail without any warning will be the day that forces the decision on the future.  I seem to recall reading in the report I now can't find that, initially, there will be only a header added to the messages but no action taken.  I sincerely hope I don't see any of these new headers in my genuine mail !!!!!

BTW, re M***D** etc. filtering: I still got some today but I presume that you mean this new filtering you mentioned in an earlier post is taking place AFTER receipt so that would presumably explain why.

PS: if anyone can point me in the direction of the report I know I read a while back (it concerned some shiny new piece of kit being introduced between the load-balancers and the mail platform(s) and said it had already been tested in front of 'gatekeeper' with reasonable results ... or words to that effect, I think) then I will be most grateful :)


Title: Re: Training spam filter - any point?
Post by: NB on July 17, 2007, 12:33:17 am
It's here (http://usergroup.plus.net/forum/index.php/topic,5002.0.html) :wink:


Title: Re: Training spam filter - any point?
Post by: mikeb on July 17, 2007, 12:38:54 am
Mucho thanx :)  Just about the only place I hadn't looked was in the hidden-when-not-logged-in forums !  (http://www.twowheels.force9.co.uk/STUFF/SMILIES/doh.gif)


Title: Re: Training spam filter - any point?
Post by: mikeb on July 22, 2007, 02:29:26 am
OK, so this week's graph (mentioned briefly on another thread as expected to be the case) shows another fairly dramatic decrease in the volume of targeted SPAM immediately following changes to the mail platform and it also corresponds to a period of possible missing genuine mail again.  Whilst I must obviously admit that it could still all be simply co-incidence, it really is looking more than a bit suspicious now don't you think ?  BTW, the decrease in volume this week is actually *a lot* more dramatic if you consider the daily volume rather than a total for the week.  The volume/day for the latter part of the week (Thursday to Saturday) was less than ~10% of the horrendous volume/day for Sunday to Wednesday. If this kinda volume continues into next week then that should make for a very nice and 'interesting' graph in around a weeks time ... but only if the suspected missing stuff is someone else's problem rather than somehow connected to the reduced SPAM volume !

(http://www.twowheels.force9.co.uk/TEMP/spam3.jpg)

As before, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of SPAM received.

I'm not sure if this a good place to say this (primarily because it might help the bl**dy spammers) but here goes anyway.  If anyone thinks it really is an incredibly stupid place to mention this kind of stuff then please feel free to delete the rest of the post ASAP or perhaps move it to a more appropriate place such as one of the hidden-unless-logged-in forums or whatever.

One of the fairly recent changes that I've noted is that a significant proportion of SPAM now contains 100% obvious forged routing headers. For the first several weeks after SPAM day (13th May) it was very rare to see any message that didn't come direct from a compromised machine. i.e. the only routing header was the one added by the PN mail platform. They still all come from compromised machines now of course but by far the majority over recent weeks seem to contain forged routing headers. Here's a couple of examples:

Quote
Received: from betly-haymaker.volia.net ([77.122.112.24]) ...
... by pih-sunmxcore19.plus.net with esmtp (PlusNet MXCore v2.00) id 1IC1p2-0003Pk-RW ...
... for My_Name@My_Account.plus.com; Fri, 20 Jul 2007 23:23:45 +0000

Received: from [77.122.112.24] by retribution.cnchost.com; Fri, 20 Jul 2007 23:18:26 -0200

Quote
Received: from [124.53.156.144] (helo=COM0701) ...
... by fhw-sunmxcore01.plus.net with esmtp (PlusNet MXCore v2.00) id 1IBAjH-0006B0-5b ...
... for My_Name@My_Account.plus.com; Wed, 18 Jul 2007 14:42:17 +0000

Received: from 72.22.69.221 (HELO mail.ipowerballlottery.com) ...
... by My_Account.plus.com with esmtp (N602/R4.6I9N OPMY.5) id H9E:.3->.,2M5-90 ...
... for My_Name@My_Account.plus.com; Wed, 18 Jul 2007 14:42:20 -0900

Now, the first example is clearly forged because the receiving IP for both routing headers is the same and in any case the IP is not consistent with the host name in the forged header.  The second example is clearly forged because it claims My_Account.plus.com actually received the message before the PN mail platform did ! In any case, even if it were a more valid-looking routing, it isn't (and wouldn't ever) be consistent with the genuine header eventually added by the PN mail platform after receipt.

So, without trying to teach Granny to suck eggs and all that, my question is this: Is it not possible for the PN mail platform to check the validity of message routing (particularly with the introduction of this shiny new piece of kit prior to the PN mail platform proper) and then reject anything quite obviously dodgy ?  I do mean formally REJECT with an appropriate error message rather than quietly dump of course just in case there is some genuine problem or genuine mistake in a genuine message.  I do also realise that it would be a hell of a lot of processing considering the amount of mail that flows in but the benefit could be enormous if it were possible to analyse existing routing headers accurately prior to formally accepting a message.

Similarly, I'm sure there are various other things that could also be checked rather more closely - rDNS on the relevant IP(s) being an obvious example although that is clearly *VERY* prone to being a right old PITA in reality due to the high potential for rejecting genuine messages from incompetent organisations and/or silly people !

In fact both of these possible measures could actually result in significant quantities of 'missing' mail and therefore aren't in any way consistent with my serious concerns about losing mail by one means or another ... but then again, maybe it's long past time that people learnt that if they don't do things 'properly' then it wont work ! There is no real excuse for adding dodgy, incorrect or misleading routing headers unless you have something to hide and similarly for having missing, inappropriate or otherwise iffy rDNS entries either. Perhaps short-term pain is a reasonable price to pay for long-term gain ?  But is it possible to be more picky about what messages are accepted without trying to enforce draconian measures that will most likely result in no end of problems for large numbers of people ?

I still firmly believe that SPAM can only be really dealt with effectively at source rather than at destination of course so I would also be interested to know what steps PN are taking to 'encourage' other service providers to enforce their AUP and prevent abuse by their customers. You must have a *very* much longer list of offending IPs and the relevant organisation responsible for them than I do by now !  Easier said than done I would agree but then again I have yet to find any ISP who takes abuse reports seriously and actions them in anything remotely close to a timely manner - if at all :(  Maybe it's way past time to get seriously tough with ISPs various who no doubt consider dealing with alleged abuse as a unnecessary cost and inconvenience to themselves rather than as a very necessary part of preventing SPAM and suchlike. 


Title: Re: Training spam filter - any point?
Post by: quaint1 on July 22, 2007, 10:25:33 am
Thanks, mikeb, for the your interesting stats. and comments and conclusions.

I am surprised that seemingly obvious forged routing info is not actually 'tested' by the current implementation of the spam filter.  Is there a good technical reason for this, I wonder?

As a non techie, I have spam filtering turned on and have received almost zero spam with sexually explicit subject lines over the last several days.  So well done PN, at least that is one obvious improvement.



Title: Re: Training spam filter - any point?
Post by: mikeb on July 22, 2007, 02:00:38 pm
There has been very little (if any) particularly explicit stuff getting into PN since round Thursday last week. A fair old %ge of the reduction is almost certainly due to the implementation of Subject: and/or body: filtering of W*****C** and M***D** earlier in the week (and there may now be other search terms added as well of course) but it could just as easily be down to the spammers not actually managing to send the crap out !  It was horrendous at the start of the week with all the usual stuff together with numerous Bcc: copies as well :( but without some level of reporting from PN it is virtually impossible to know for sure why there was a very significant decrease in the latter part of the week. 

What I do know is that for the first time since SPAM day (13th May), my spam-test e-mails were actually rejected this week.  This a good thing :) ... but as always, providing that the 1st line detection isn't overly aggressive.  For instance, I would dearly love to see filtering of anything Adobe Bugware related as that is the next most popular category of SPAM for me but at the same time I also receive many genuine messages that would get lost if that was the case so it certainly isn't a good idea in practice.  Keyword filtering is very prone to causing some peeps problems whilst helping others. One man's SPAM is another man's Sunday Roast and all that. There will almost always be some peeps who get very genuine messages containing the kind of terms others would consider as 100% accurate indicators of SPAM.  Obviously, W*****C** and M***D** are most unlikely to fall into that category ;)

However, subject: (or even body:) filtering is an uphill and almost never ending problem from past experience as well as ultimately becoming a complete waste of time. It's only a (very) short-term solution IMHO. Just think about how many possible and perfectly 'human readable' variations there are between "Viagra" and "\/1@GRA" for starters without even considering mis-spelling or adding spaces, underscores, dashes, asterisks and so on between letters !  Multiply that by the number of relevant spammy keywords and you have a list more suitable for being printed on king-size extra-length toilet rolls than actually being used in anger :D  Back in the days when I used to try to filter on keywords for an old account, the list of terms got quite ridiculous very quickly and it soon became a complete nonsense.  The other thing is that no amount of filtering is ever likely to deal effectively with image files and the spammers soon progress to totally random and innocent looking subject: and body text so these messages will come straight through without ever being detected in any case.  The fact that perhaps the majority of peeps send and receive HTML messages these days rather than good old plain text means that image based SPAM is just as effective as text in most instances.

Filtering at destination (in general) is not in any way a solution to the problem IMHO. It only provides relatively short-term relief of the symptoms and therefore buys time to find a more realistic and effective solution. Spammers are unlikely to be stupid. They have a vested interest in getting their crap delivered and are always going to be (at least) one step ahead of any generic filtering I would suggest.  Time, effort and money would be far better spent in tackling and shutting down the sources of SPAM than simply trying to hide it.

A very good start point would be ISPs suspending the service to users proven as the source of any level abuse IMEDIATELY rather than poncing around for weeks and months (if indeed doing anything constructive at all that is) allegedly trying to contact the user and advising them to do a malware check.  Yes, of course I understand that relatively innocent but naive or stupid users manage to get hijacked but that's not the point is it. Such users are highly unlikely to see let alone respond to e-mails from their ISP if they don't understand the issues and especially when their inbox is no doubt stuffed with bounced messages or whatever as well !  The service should be suspended immediately on receipt of proof of abuse in order to prevent any further abuse.  That will not only 'cure' the problem at the destination end fairly rapidly but will also force such users to find a resolution to their own problems in a timely manner.  Suddenly finding a lack of service is most certainly going to focus the mind on the problem that's for sure !

Consider this:  How many ISPs wouldn't suspend or restrict the service provided to users found guilty of using excessive BW almost immediately for instance ? Certainly PN would although I totally accept that not all ISPs monitor usage to the extent they do of course.  But my point is that action would most likely be taken swiftly if something is costing the ISP money or causing them problems ... abuse reports are far more likely to be considered as 'a bit of a nuisance' and not worthy of swift action because it actually takes time and costs them money to deal with abuse as well as potentially upsetting their own customers.  It's a bit like the usual scenario with a lot of companies: free-phone order line with 1000's of operators sitting there waiting to take your call 24/7 ... but only one single premium rate line for (so-called) Customer Service, complaints or problems and that is only available between 1000 and 1600 hours or whatever !!  I rest my case M'Lud.  Most if not all ISPs need a good old kick up the @rse to 'encourage' them to deal with the sources of SPAM and other abuse in a responsible manner :evil:


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 26, 2007, 04:17:01 pm

Is there a problem with dspam on mxcore15 ?

I say this because on any spam message that gets through without being [-SPAM-] tagged, I find it most comes via mxcore15 and, look at the headers, the spamicity rating is always the default 0.04 !

Quote
Envelope-to: xxx@godsell4.plus.com
Delivery-date: Tue, 24 Jul 2007 13:29:05 +0000
Received: by pih-sunmxcore15.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IDKRk-000358-Rg
     for xxx@godsell4.plus.com; Tue, 24 Jul 2007 13:29:05 +0000
X-Daemon-Classification: INNOCENT
Received: from [211.247.145.80] (helo=uvkyj)
     by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1IDKRi-0002sE-CL
     for xxx@godsell4.plus.com; Tue, 24 Jul 2007 13:29:03 +0000
Received: from fr.acj ([194.91.125.233]) by uvkyj with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 Jul 2007 22:26:06 +0900
Message-ID: <001601c7cdf6$30665450$e97d5bc2@fr.acj>
From: "netfuncards.com" <uxa@kirusa.com>
To: <xxx@godsell4.plus.com>
Subject: RE:
Date: Tue, 24 Jul 2007 22:26:06 +0900
MIME-Version: 1.0
Content-Type: text/plain;
     format=flowed;
     charset="koi8-r";
     reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4131.1600
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4131.1600
x-open-relay: 211.247.145.80 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Tue Jul 24 13:29:04 2007
X-DSPAM-Confidence: 1.0000
X-DSPAM-Improbability: 1 in 98689409 chance of being spam
X-DSPAM-Probability: 0.0023
X-DSPAM-Factors: 27,
     X-PN-VirusFiltered*MXCore, 0.40000,
     Message-ID*fr.acj>, 0.40000,
     Subject*RE, 0.40000,
     Received*Tue, 0.40000,
     Received*Tue, 0.40000,
     When+the, 0.40000,
     of, 0.40000,
     X-PN-VirusFiltered*MXCore+(v4.00), 0.40000,
     thought, 0.40000,
     X-MimeOLE*By, 0.40000,
     Received*v2.00), 0.40000,
     Received*26+06, 0.40000,
     Received*Microsoft, 0.40000,
     being+average, 0.40000,
     been, 0.40000,
     X-MimeOLE*Produced, 0.40000,
     From*<uxa+kirusa.com>, 0.40000,
     Url*com/, 0.40000,
     Received*id+1IDKRi, 0.40000,
     Received*smtp+(PlusNet, 0.40000,
     Content-Type*charset="koi8, 0.40000,
     To*<laj, 0.40000,
     doesnt, 0.40000,
     Received*pih, 0.40000,
     To*<xxx+godsell4.plus.com>, 0.40000,
     Received*([194.91.125.233])+by, 0.40000,
     x-open-relay*211.247.145.80+is, 0.40000

On the other mxcore machines, the line in the headers that reads:
         x-open-relay: 211.247.145.80 is in a black list at bl.spamcop.net

Would have shown up as one of the dspam factors with a high rating.

Has mxcore15 had a different dpsam training?

SW.


Title: Re: Training spam filter - any point?
Post by: poppy on July 27, 2007, 12:06:04 pm
I have to agree with mikeb - spam has dropped to almost nothing, particularly the really offensive stuff so I assume that it is down to all the work that is going into the problem from Plusnet staff or the spammers are on their summer hols. Anyway, if it is the former - well done!


Title: Re: Training spam filter - any point?
Post by: dusty_bin on July 27, 2007, 12:41:25 pm
I'm currently having problems with email being put in the wrong POIP3 mailbox, which has led to an interesting situation:

An order confirmation was received by email and the spam checker said:
Code:
X-PN-Spam-Filtered: by PlusNet MXCore (v3.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Jul 26 11:24:19 2007
X-DSPAM-Confidence: 0.6501
X-DSPAM-Improbability: 1 in 187 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
Subtotal, 0.00235,
Received*e.net, 0.00328,
Received*e.net, 0.00328,
Quantity+Price, 0.00535,
3891, 0.01000,
8+94, 0.01000,
Product+Quantity, 0.01000,
M99, 0.99000,
Received*e.net), 0.01000,
From*m, 0.99000,
From*m, 0.99000,
by+Credit, 0.01000,
G+P, 0.99000,
Nottinghamshire, 0.01000,
Delivery-date*26+Jul, 0.01000,
X-Mailer*PHPMailer+[version, 0.01003,
X-Mailer*PHPMailer, 0.01003,
0+99, 0.01183,
X-Mailer*[version, 0.01914,
Date*26+Jul, 0.02024,
X-Mailer*[version+1.73], 0.02148,
X-Mailer*1.73], 0.02148,
710, 0.03065,
Hertfordshire, 0.03519,
Hertfordshire, 0.03519,
appears+below, 0.03566,
26+Jul, 0.03895

Today I went into webmail and forwarded it to the correct mailbox and the spam checker said:
Code:
X-PN-Spam-Filtered: by PlusNet MXCore (v3.00)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Fri Jul 27 11:27:50 2007
X-DSPAM-Confidence: 0.5095
X-DSPAM-Improbability: 1 in 105 chance of being ham
X-DSPAM-Probability: 0.9999
X-DSPAM-Factors: 15,
Subtotal, 0.00210,
Quantity+Price, 0.00479,
3891, 0.01000,
8+94, 0.01000,
Received*0000nm, 0.99000,
Product+Quantity, 0.01000,
54+0500, 0.99000,
02024, 0.99000,
94+0, 0.01000,
([69+20, 0.99000,
M99, 0.99000,
0+02148, 0.99000,
(unverified, 0.99000,
02148, 0.99000,
com+(unverified, 0.99000


Title: Re: Training spam filter - any point?
Post by: mikeb on July 29, 2007, 01:10:56 am
So here's this week graph. A very significant drop across the board and your guess is probably just as good as mine as to WTF is going on here !!!  However, it has been suggested by another user that spam to non-PN compromised addresses has also seen a significant reduction in volume this week implying that the reason for the decrease is not necessarily down to PN action.

I have not seen any headers from the new kit that was going to be introduced prior to the mail platform(s) so far.  I got the impression that this new kit would be going live 'real soon' from reading the announcement on 9th July so has this happened or not ? and if so, is it *really* working as stated or just quietly dumping stuff ?

In the continued absence of PN comment, I don't think there's much point in further crystal ball gazing as there are quite simply too many unknowns in the equation.

(http://www.twowheels.force9.co.uk/TEMP/spam4.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

Edited to add: I think we need some form of competition here because my prediction algorithms are really struggling to cope with the unexplained dramatic changes in the data.  Something along the lines of "Where's Wally My Spam" or "guess the number of cherries in the fruit cake spams in my inbox" perhaps ? Sounds like a plan to me. So, it's answers on ye olde postcard (until I get the premium rate line set up and then charge everyone to enter but 'randomly' pick my mate down the road as the winner like certain other big organisations think they can actually get away with) to this simple question: Where will the red and blue lines end up at 2359 and a bit hours next Saturday night ?

Oh yeah, and just to make it even more 'interesting' and to encourage sensible estimates rather than simply pure guesses, maybe the closest 'answer' gets a shiny new spam-free PN A/C ... whilst the most outrageously wrong 'answer' gets everyone else's spam redirected to their existing A/C :-P


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 29, 2007, 09:10:54 am

Today, is there something up with mxcore17 ?

This message had 'Viagra' in the subject line and the spamicity value for all DSPAM factors was the default 0.04 ... hence, this message was NOT marked as [-SPAM-]

Quote
Envelope-to: xxxx@godsell4.plus.com
Delivery-date: Sun, 29 Jul 2007 00:05:00 +0000
Received: by pih-sunmxcore17.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IEwHM-0002Hv-FC
     for xxxx@godsell4.plus.com; Sun, 29 Jul 2007 00:05:00 +0000
X-Daemon-Classification: INNOCENT
Received: from smtp-in-78.livemail.co.uk ([213.171.216.78])
     by pih-sunmxcore17.plus.net with esmtp (PlusNet MXCore v2.00) id 1IEwHM-0002Hg-4q
     for xxxx@godsell4.plus.com; Sun, 29 Jul 2007 00:05:00 +0000
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
     by smtp-in-78.livemail.co.uk (Postfix) with SMTP id D9F41558077
     for <xxxx@myukip.net>; Sun, 29 Jul 2007 00:04:59 +0000 (GMT)
Received: from p4FC4FF45.dip.t-dialin.net (p4FC4FF45.dip.t-dialin.net [79.196.255.69])
     by smtp-in-78.livemail.co.uk (Postfix) with ESMTP id 921F7558092
     for <xxxx@myukip.net>; Sun, 29 Jul 2007 00:04:59 +0000 (GMT)
Received: from [79.196.255.69] by actionshotmedia.com; Sun, 29 Jul 2007 00:05:04 -0100
Message-ID: <01c7d174$1d521a80$45ffc44f@aeronaut>
From: "Hilary Hobson" <aeronaut@actionshotmedia.com>
To: <xxxx@myukip.net>
Subject: US $ 129.95 Viagra 100mg x 60 pills
Date: Sun, 29 Jul 2007 00:05:04 -0100
MIME-Version: 1.0
Content-Type: text/plain;
     format=flowed;
     charset="Windows-1252";
     reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-Original-To: xxxx@myukip.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Sun Jul 29 00:05:00 2007
X-DSPAM-Confidence: 1.0000
X-DSPAM-Improbability: 1 in 98689409 chance of being spam
X-DSPAM-Probability: 0.0023
X-DSPAM-Factors: 27,
     Content-Type*charset="Windows, 0.40000,
     X-PN-VirusFiltered*MXCore, 0.40000,
     Subject*Viagra, 0.40000,
     100mg+x, 0.40000,
     Received*by+smtp, 0.40000,
     Received*by+smtp, 0.40000,
     Received*dialin.net, 0.40000,
     Received*dialin.net, 0.40000,
     Received*<xxxx+myukip.net>, 0.40000,
     Received*<xxxx+myukip.net>, 0.40000,
     X-MimeOLE*V6.00.2900.2527, 0.40000,
     Received*in, 0.40000,
     Received*in, 0.40000,
     Received*actionshotmedia.com, 0.40000,
     X-PN-VirusFiltered*MXCore+(v4.00), 0.40000,
     Received*myukip.net>, 0.40000,
     Received*myukip.net>, 0.40000,
     Received*p4FC4FF45.dip.t+dialin.net, 0.40000,
     30, 0.40000,
     Received*ESMTP, 0.40000,
     Received*filter+42a77884ce2a0a03efc6bb50a6dcdb21, 0.40000,
     X-MimeOLE*By, 0.40000,
     Received*pih+sunmxcore17.plus.net, 0.40000,
     Received*v2.00), 0.40000,
     Received*id+921F7558092, 0.40000,
     Received*D9F41558077, 0.40000,
     been, 0.40000

?

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 29, 2007, 01:07:01 pm
Today, is there something up with mxcore17 ?

Hmmm, well I'm not sure what the answer to the original question posed in the thread title is ... or indeed the one above ... but it seems fairly obvious to me that asking whether dspam is or is not doing what it should be, whether certain mx-cores are a bit 'suspect' or any similar style questions is just about as good as (http://www.twowheels.force9.co.uk/STUFF/SMILIES/headbang.gif)

Several times you (and others) have asked these questions and provided absolute evidence of something apparently dodgy going on ... and several times it has been completely ignored by those who do (or at least should) know exactly what's going on :(

Maybe you also need to set up a competition line in order to get some sensible looking potential answers ?  :evil:


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 29, 2007, 03:46:53 pm

Yep, and another gets through on mxcore17, this time a for Creative Suite.

Quote
X-Dspam-Factors:    27,
Received*mx2.nfrance.com, 0.40000, X-PN-VirusFiltered*MXCore, 0.40000, From*Townsend", 0.40000, adobe, 0.40000, X-PN-VirusFiltered*MXCore+(v4.00), 0.40000, Professional+$79, 0.40000, Received*from+[222.212.224.158], 0.40000, Received*from+[222.212.224.158], 0.40000, Received*2007+14, 0.40000, Received*2007+14, 0.40000, Received*weblogs, 0.40000, X-MimeOLE*By, 0.40000, Received*pih+sunmxcore17.plus.net, 0.40000, Received*v2.00), 0.40000, been, 0.40000, Date*0800, 0.40000, Message-ID*<01c7d1ee$5f6ed870$9ee0d4de+bradt>, 0.40000, X-MimeOLE*Produced, 0.40000, Subject*$89, 0.40000, Date*14, 0.40000, To*<weblogs+godsell4.plus.com>, 0.40000, adobe+8, 0.40000, Subject*Extended, 0.40000, Received*pih, 0.40000, 8+Professional, 0.40000, Content-Type*charset="iso+8859, 0.40000, Protection, 0.40000

Maybe somebody could admit a problem ... this is the open and honest, we never hide anything PN after all. :(

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 29, 2007, 11:15:21 pm

And another one gets through on mxcore17, can't be @rsed to post the spam factors, safe to say all of them had spamicity values of 0.04. :(

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 30, 2007, 12:11:23 pm

And another at 10:11 this morning, all through mxcore17.

I also had a message this morning, with *NO* DSpam factors ...

SW.


Title: Re: Training spam filter - any point?
Post by: KellyD on July 30, 2007, 01:08:17 pm
Have you guys seen any correctly marked spam from 15 or 17?


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 30, 2007, 01:58:57 pm
I have been through the SPAM folder in 4 of my compromised accounts, at 05:40 today, mxcore15 has found SPAM, but mxcore17 has not.

SW


Title: Re: Training spam filter - any point?
Post by: jelv1 on July 30, 2007, 02:28:07 pm
I've just been looking at non-tagged spam - the majority is through sunmxcore17


Title: Re: Training spam filter - any point?
Post by: jelv1 on July 30, 2007, 02:39:22 pm
I've now checked the headers of over 100 tagged spam - none came through sunmxcore17


Title: Re: Training spam filter - any point?
Post by: jelv1 on July 30, 2007, 02:46:11 pm
Another 136 tagged spam checked - not a single one through sunmxcore17


Title: Re: Training spam filter - any point?
Post by: KellyD on July 30, 2007, 02:52:56 pm
Cheers Jelv


Title: Re: Training spam filter - any point?
Post by: KellyD on July 30, 2007, 02:59:03 pm
Ok, problem ID 45192 raised.


Title: Re: Training spam filter - any point?
Post by: jelv1 on July 30, 2007, 03:02:32 pm
Just checked for 15:

Code:
Envelope-to: xxx@yyy.plus.com
Delivery-date: Mon, 30 Jul 2007 12:59:19 +0000
Received: by pih-sunmxcore15.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IFUqE-0003gC-TV for xxx@yyy.plus.com; Mon, 30 Jul 2007 12:59:19 +0000
X-Daemon-Classification: SPAM
Received: from [58.232.49.134] (helo=samsung-9767a6d.hananet) by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1IFUqA-00035Q-Im for xxx@yyy.plus.com; Mon, 30 Jul 2007 12:59:18 +0000
Message-ID: <000e01c7d2f4$e3b52060$00797eb4@samsung9767a6d>
From: Amado Pena <xjcathop@etuvefood.com>
To: xxx@yyy.plus.com
Subject: [-SPAM-] US $ 89.95 Price for Viagra 50mg x 30 pills
Date: Mon, 30 Jul 2007 21:59:23 +0900
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.2963
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
x-open-relay: 58.232.49.134 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Mon Jul 30 12:59:18 2007
X-DSPAM-Confidence: 0.8507
X-DSPAM-Improbability: 1 in 571 chance of being ham
X-DSPAM-Probability: 1.0000
X-DSPAM-Factors: 15, pills, 0.99691, Subject*$, 0.99484, Subject*US+$, 0.99476, 50mg, 0.99345, 10+pills, 0.99321, Subject*pills, 0.99317, buy+now, 0.99017, Subject*Viagra, 0.99000, Subject*50mg, 0.99000, Subject*for+Viagra, 0.99000, Url*cn, 0.99000, Subject*30+pills, 0.99000, X-MimeOLE*MimeOLE+V6.00.2800.1158, 0.99000, Subject*Viagra+50mg, 0.99000, Date*59+23, 0.99000



Title: Re: Training spam filter - any point?
Post by: bpullen on July 31, 2007, 08:45:37 am

And another at 10:11 this morning, all through mxcore17.

I also had a message this morning, with *NO* DSpam factors ...

Was it marked as [-SPAM-]? If so then it could be that Clam identified the email as spam and not DSpam.


Title: Re: Training spam filter - any point?
Post by: jelv1 on July 31, 2007, 09:10:37 am
Is sunmxcore17 an mx.last server? - if so we could remove our mx.last entry until such time as this is fixed (but of course if too many people do this it will increase the load on mx.core  :-( )


Title: Re: Training spam filter - any point?
Post by: godsell4 on July 31, 2007, 10:51:19 am
I also had a message this morning, with *NO* DSpam factors ...

Was it marked as [-SPAM-]?

No, it was not tagged with [-SPAM-].

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on July 31, 2007, 11:53:45 am
I meant to capture a graph similar to this the other day but unfortunately didn't quite get around to it.

(http://www.twowheels.force9.co.uk/TEMP/mail1.jpg)

In recent days, at least one of the servers (on both core and last) appears to have been under far more load than the rest.  These servers in particular also appear to have had some relatively dramatic downward changes in the number of messages being queued.  The example above shown one such event but I'm sure that I've seen graphs fairly recently showing repeated events like this.

Now I'm quite certain that there could be a perfectly reasonable explanation for this apparent strange behaviour (such as being taken off-line for receiving messages to allow the queue to reduce) but it strikes me that maybe someone or something has given the server a bit of a poke and messages could well have been dumped or delivered without spam checking or suchlike.  Could something like this possibly explain the messages being received with some default spam detection headers rather than actually being checked properly ?  I presume that PN know which line on the graphs relate to which server. Does the 'strange' looking line(s) correspond to the servers(s) being reported as apparently acting up ?



Title: Re: Training spam filter - any point?
Post by: bpullen on July 31, 2007, 04:36:21 pm
Is sunmxcore17 an mx.last server? - if so we could remove our mx.last entry until such time as this is fixed (but of course if too many people do this it will increase the load on mx.core  :-( )

No it's not an mx.last server. The servers are distributed as such:

mx.core

09, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19

mx.last

01, 02, 03, 04, 05, 06, 07, 08, 20, 21, 22

Basically any server that starts with the naming convention 'fhw' is an mx.last server. Anything starting 'pih' is an mx.core server.

I also had a message this morning, with *NO* DSpam factors ...

Was it marked as [-SPAM-]?

No, it was not tagged with [-SPAM-].

Do you have the headers?

Now I'm quite certain that there could be a perfectly reasonable explanation for this apparent strange behaviour (such as being taken off-line for receiving messages to allow the queue to reduce) but it strikes me that maybe someone or something has given the server a bit of a poke and messages could well have been dumped or delivered without spam checking or suchlike.  Could something like this possibly explain the messages being received with some default spam detection headers rather than actually being checked properly ?  I presume that PN know which line on the graphs relate to which server. Does the 'strange' looking line(s) correspond to the servers(s) being reported as apparently acting up ?

That's pih-sunmxcore15. The troughs in the line occur when our housekeeping guys remove stuck messages from the queue or clear a stuck process (normally caused by clam although we've seen less of these following recent upgrades).

Anyway, it seems that Dspam database is not being updated. Turns out it's not just sunmxcore17 but some of the other servers as well. We're currently investigating why this is failing as the same script is being used to update the software on the remaining servers and is working fine.


Title: Re: Training spam filter - any point?
Post by: spraxyt on July 31, 2007, 05:21:37 pm

Now I'm quite certain that there could be a perfectly reasonable explanation for this apparent strange behaviour …
I presume that PN know which line on the graphs relate to which server. Does the 'strange' looking line(s) correspond to the servers(s) being reported as apparently acting up ?

That's pih-sunmxcore15. The troughs in the line occur when our housekeeping guys remove stuck messages from the queue or clear a stuck process (normally caused by clam although we've seen less of these following recent upgrades). …

For clarification, what does "remove(ing) stuck messages from the queue" actually do.  Hopefully not dump them in the bin so that they never see the light of day again.

David


Title: Re: Training spam filter - any point?
Post by: bpullen on July 31, 2007, 05:50:25 pm
Yes, it does remove them completely. These are genuine stuck emails that will never be delivered though.

Imagine an example where a customer is using messagelabs to handle their mail. They also have our mx.last record in place. Spam is sent to the customer's primary mx but is rejected by messagelabs spam filtering. An attempt is then made to deliver via mx.last. mx.last then attempts to relay the mail to the primary mx record again but is rejected in the same fashion. Cue repeated attempts to send the email that will never be successful.

There are numerous scenarios but most of the stuck emails tend to involve a customer who has their mail server or mail provider configured in such a way that they are bouncing/relaying vast amounts of email across our platform.

I've been tasked to call some of these customers in the past as part of our routine housekeeping to educate them accordingly.

Clearing a stuck process just 'removes a blockage' and allows email through again.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 01, 2007, 08:34:56 am
Do you have the headers?

Bob,

I will try to find it again although I may have deleted it on sight/disgust.

More untagged spam this morning through mxcore17 !

SW.


Title: Re: Training spam filter - any point?
Post by: dusty_bin on August 01, 2007, 09:05:00 am
Not just 17 :(
a. ignoring some fairly obvious capitalised words in the title
b. largely ignoring the open relay listing
Code:
X-Daemon-Classification: INNOCENT
Envelope-to: *****@my****.plus.com
Delivery-date: Wed, 01 Aug 2007 05:17:53 +0000
Received: from [222.66.34.211] (helo=211.34.66.222.in-addr.arpa)
  by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1IG6am-0006xJ-0E
  for *****@my****.plus.com; Wed, 01 Aug 2007 05:17:52 +0000
Message-ID: <001501c7d43e$5f296e00$0645fef4@bjf>
From: Rafael Norwood <yqinakeder@parismedispa.com>
To: *****@my****.plus.com
Subject: You can have a BIGGER P****!
Date: Wed, 1 Aug 2007 13:17:55 +0800
MIME-Version: 1.0
Content-Type: text/plain;
        charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.2969
x-open-relay: 222.66.34.211 is in a black list at bl.spamcop.net
X-PN-Spam-Filtered: by PlusNet MXCore (v3.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Aug  1 05:17:55 2007
X-DSPAM-Confidence: 0.5521
X-DSPAM-Improbability: 1 in 124 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
Date*1+Aug, 0.01000,
Delivery-date*01+Aug, 0.01000,
Subject*You+can, 0.99000,
Date*Wed+1, 0.01000,
Received*01+Aug, 0.01000,
Date*Aug, 0.02361,
Delivery-date*Aug, 0.02695,
Received*Aug, 0.02695,
Delivery-date*17+53, 0.94421,
Date*1, 0.11007,
Subject*can, 0.88251,
Date*13+17, 0.13009,
Content-Type*charset="windows, 0.84956,
our+support, 0.16938,
questions, 0.19583,
Delivery-date*2007+05, 0.79768,
Click+Here, 0.20970,
x-open-relay*is+in, 0.78805,
x-open-relay*list+at, 0.78805,
x-open-relay*a+black, 0.78805,
x-open-relay*in+a, 0.78805,
x-open-relay*in, 0.78805,
x-open-relay*black, 0.78805,
x-open-relay*at+bl.spamcop.net, 0.78805,
x-open-relay*at, 0.78805,
x-open-relay*bl.spamcop.net, 0.78805,
x-open-relay*list, 0.78805


Title: Re: Training spam filter - any point?
Post by: Oldjim on August 01, 2007, 10:39:10 am
Confirm 17 is still missing everything but what happened to the block on viagra in the subject
Code:
Envelope-to: postmaster@****.plus.com
Delivery-date: Wed, 01 Aug 2007 04:37:33 +0000
Received:  by fhw-sunmxcore22.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IG5xZ-0002hL-66
  for postmaster@****.plus.com; Wed, 01 Aug 2007 04:37:25 +0000
X-Daemon-Classification: INNOCENT
Received: from 117.228.97-84.rev.gaoland.net ([84.97.228.117])
  by fhw-sunmxcore22.plus.net with smtp (PlusNet MXCore v2.00) id 1IG5xW-0002Y6-73
  for postmaster@****.plus.com; Wed, 01 Aug 2007 04:37:20 +0000
Message-ID: <001701c7d406$64877640$021d02ac@terminator>
From: Deandre Meadows <gcdthyroxine@celtica-sphynx.com>
To: postmaster@****.plus.com
Subject: Viagra (Sildenafil) 100mg x 10 pills $7.00 per pill buy now
Date: Wed, 1 Aug 2007 06:37:12 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0014_01C7D406.64877640"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.1158
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Aug  1 04:37:25 2007
X-DSPAM-Confidence: 0.6165
X-DSPAM-Improbability: 1 in 162 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
the+person, 0.00094,
"the, 0.00447,
mean+that, 0.00567,
technology+is, 0.99297,
failures, 0.00855,
failures, 0.00855,
good+to, 0.00901,
reach+the, 0.00960,
the+all, 0.00980,
are+affected, 0.01000,
artwork, 0.01000,
MOO, 0.99000,
Subject*buy, 0.99000,
executed, 0.01000,
computer+is, 0.99000,
computer+viruses, 0.01000,
which+sounds, 0.01000,
trained, 0.01000,
Date*37+12, 0.01000,
else+and, 0.01000,
up+their, 0.01000,
with+Jim, 0.01000,
to+computer, 0.01000,
by+hand, 0.01000,
creative+abilities, 0.99000,
It+seemed, 0.99000,
person+at, 0.01000



Title: Re: Training spam filter - any point?
Post by: godsell4 on August 01, 2007, 11:32:23 am

b. largely ignoring the open relay listing
Code:
x-open-relay*is+in, 0.78805,
x-open-relay*list+at, 0.78805,
x-open-relay*a+black, 0.78805,
x-open-relay*in+a, 0.78805,
x-open-relay*in, 0.78805,
x-open-relay*black, 0.78805,
x-open-relay*at+bl.spamcop.net, 0.78805,
x-open-relay*at, 0.78805,
x-open-relay*bl.spamcop.net, 0.78805,
x-open-relay*list, 0.78805


The spamicity value for all the above use to be higher, 0.95 or similar.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 01, 2007, 11:43:40 am
... what happened to the block on viagra in the subject
Code:
Envelope-to: postmaster@****.plus.com

Received:  by fhw-sunmxcore22.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IG5xZ-0002hL-66
  for postmaster@****.plus.com; Wed, 01 Aug 2007 04:37:25 +0000
Subject: Viagra (Sildenafil) 100mg x 10 pills $7.00 per pill buy now
Date: Wed, 1 Aug 2007 06:37:12 +0200


I had a similar message, same Subject that arrived via mxcore22. :(

Mine also had the spamcop listing in headers:
Code:
x-open-relay: 61.173.87.132 is in a black list at bl.spamcop.net

Which the DSpam ignored. :( It used ...
Quote
X-DSPAM-Improbability: 1 in 133 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
     can+we, 0.00366,
     activated, 0.00718,
     been+more, 0.99220,
     economic, 0.99125,
     alter, 0.00939,
     This+brings, 0.01000,
     This+brings, 0.01000,
     comprise+of, 0.01000,
     comprise+of, 0.01000,
     build+and, 0.01000,
     the+areas, 0.01000,
     Subject*buy, 0.99000,
     executed, 0.01000,
     against+<FONT, 0.01000,
     are+both, 0.01000,
     difference+in, 0.01000,
     technical+skills, 0.01000,
     example+is, 0.01000,
     will+attract, 0.01000,
     creative+abilities, 0.99000,
     book+to, 0.01000,
     biological, 0.99000,
     biological, 0.99000,
     voice+or, 0.01000,
     properties+and, 0.99000,
     artistic, 0.99000,
     the+program, 0.01000

SW.


Title: Re: Training spam filter - any point?
Post by: Oldjim on August 01, 2007, 12:22:15 pm
This is going back to very silly
Why didn't this block it outright
x-open-relay: 71.111.121.67 is in a black list at bl.spamcop.net
Code:
X-Kaspersky: Original server data starting here: +OK 3674 octets follow.
Envelope-to: *****.plus.com
Delivery-date: Wed, 01 Aug 2007 11:11:03 +0000
Received:  by fhw-sunmxcore20.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IGC6Y-0003WJ-SH
  for ****.plus.com; Wed, 01 Aug 2007 11:11:03 +0000
X-Daemon-Classification: INNOCENT
Received: from pool-71-111-121-67.ptldor.dsl-w.verizon.net ([71.111.121.67])
  by fhw-sunmxcore20.plus.net with esmtp (PlusNet MXCore v2.00) id 1IG55I-0000Nn-DP
  for *****.plus.com; Wed, 01 Aug 2007 03:41:16 +0000
From: "Messages" <udwfzqztbhv@verizon.net>
To: ****.plus.com
Subject: Fwd: Thank you, we are ready to lend you money regardless of Credit
Date: Thu, 2 Aug 2007 20:40:52 +0700
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0005_01C7D545.6AC00FA0"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcfVRWrA5A2ufH6dRCOOBlqjwdz7uw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-Id: <0ED8025062500D1.00F7CDC6FE@verizon.net>
x-open-relay: 71.111.121.67 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Aug  1 11:11:03 2007
X-DSPAM-Confidence: 0.5215
X-DSPAM-Improbability: 1 in 110 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
Received*for+james, 0.00075,
Received*james, 0.00075,
To*james, 0.00109,
the+deal, 0.00370,
the+deal, 0.00370,
business+and, 0.00804,
Received*pool, 0.99113,
Received*from+pool, 0.99113,
give+your, 0.00901,
your+company, 0.00995,
like+or, 0.01000,
own+business, 0.01000,
Subject*Credit, 0.99000,
From*verizon.net>, 0.99000,
Date*52+0700, 0.99000,
name="GENERATOR">, 0.99000,
877, 0.01000,
Date*2007, 0.99000,
ATTACHED, 0.01000,
credit+history, 0.99000,
credit+history, 0.99000,
Date*Thu+2, 0.01000,
Us+&nbsp, 0.99000,
2912"+name="GENERATOR">, 0.99000,
expire, 0.01000,
or+need, 0.01000,
IMMEDIATE, 0.99000



Title: Re: Training spam filter - any point?
Post by: mikeb on August 01, 2007, 12:39:26 pm
... but what happened to the block on viagra in the subject

I hate spam just as much as the next man and perhaps moreso than most having been totally spam-free for ~10 years up to 13th May but, I'm sorry to say, I hate the principle of mandatory delete on receipt filtering significantly more :( 

I know this an extreme view so no flames please just rational comment if felt appropriate but it really is (or at least could so easily become) effective censorship of private(ish) messages IMHO.  It is certainly exactly what happens now with various other ISPs & e-mail service providers and I find it totally unacceptable despite the fact that it rarely affects me personally. First line filtering reviews all incoming messages for subject & content etc. and then only accepts/delivers those messages which the service provider deems 'acceptable'. In many (if not most) cases the user isn't even made aware that messages could be let alone have been deleted and/or prevented from reaching them in one way or another for one reason or another.  The whole business of accepting but then quietly dumping 'unacceptable' messages is quite simply outrageous in all respects regardless of reason.

The point is that everything along these lines is being done completely behind customers backs. In general, customers have no idea what content is being filtered, what sources are being filtered or why such action is considered 'reasonable' and they have no choice (other than going elsewhere) but to accept the service providers view of what is 'acceptable'. Any mistakes (and there are always mistakes - sometimes very BIG mistakes as I have described in detail previously) take ages to discover and even longer to resolve.  Should a service provider really be in a position to dictate what a paying customer can and cannot receive by e-mail ?

I can totally understand (and in general accept) filtering of such blatantly obvious spam such as messages containing terms like W****C** and M***D** but where exactly do you draw the line ?  Do you then filter V****A on the principle that 99.9% of peeps don't want messages containing this term but completely ignore the very small number of peeps who might do for professional or genuine medical reasons ?  Or what about Adobe because I personally hate absolutely everything Adobe and don't ever want to receive any marketing info on any of their products - should that be filtered to suit me and to hell with everyone else ?  Or maybe all 'naughty' words or references to body parts various should be filtered just in case the message could reach a child ?  Perhaps anything containing possible terrorist terms or any other potentially illegal or dodgy stuff should also be filtered but forwarded directly to the Police instead of being deleted ?  Definitely NOT a bad idea in principle but ... 

Taken to a ridiculous and unlikely-to-ever-happen extreme, an ISP could 'accidentally' list a competitor if they were aware that said competitor was making serious attempts to lure customers away by contacting them directly in a genuine, valid and generally speaking acceptable (albeit slightly dodgy) way.  BT spammed me silly on all my F9/PN accounts without any authority whatsoever a while back - what if it had been another_ISP.com with some very tempting offers specifically targeting existing PN users, would PN have been quite so 'happy' about it and have allowed it to continue ad-infinitum ?  I think perhaps not and TBH you probably couldn't blame them for not being happy either !

Apart from the fact that keyword filtering is next to useless long-term and is ultimately deemed to failure IMO, am I the only one round here who sees it as a kinda useful but *very* dangerous tool that could well turn into a monster ?  Analysis and creeping censorship of incoming mail is not something that I am in any way happy to accept lying down unless it is entirely optional and it is implemented 'correctly' by which I mean formally rejecting filtered messages rather than dumping them some time after receipt.

I very much welcome anything that reduces the volume of blatant spam received but it would appear that there are some rather basic principles here that are in grave danger of being trampled on in the rush to 'resolve' spam issues by taking the 'easy' route rather than the 'right' route ;)

What seems clear to me from the various posts in this thread is that there are some very fundamental problems with dspam. However, what concerns me is what if those fundamental problems were resulting in over-aggressive filtering rather than missing relatively obvious spam and it was occurring at the mandatory and unannounced level. How much genuine mail are users prepared to lose in their quest to reduce their spam ?

BTW, it very much looks like the spammers are back from their hols and normal(ish) service has resumed :(


Title: Re: Training spam filter - any point?
Post by: spraxyt on August 01, 2007, 01:19:24 pm
It strikes me that the mail-server email processing policies and procedures could make an ideal subject for the next Policies and Procedures topic to be added to the Portals at Help & Support > (vISP) Service > Policies.

What do others think?

David


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 01, 2007, 01:36:51 pm
I hate the principle of mandatory delete on receipt filtering significantly more :( 

I think the scheme is to automatically tag with [-SPAM-] rather than to delete the message.

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 01, 2007, 01:41:28 pm

The only messages auto spam and tagged are described in http://community.plus.net/comms/2007/07/17/emailspam-deliverables-update-part-ii/

And the list is short:
Quote
At the moment we’re blocking any email containing one or more of the following text strings in the subject line:

^.*wondercum.*
^.*MegaDik.*
^.*WonderCum.*
^.*Wondercum.*


Title: Re: Training spam filter - any point?
Post by: Penny on August 01, 2007, 01:43:14 pm
... but what happened to the block on viagra in the subject

I hate spam just as much as the next man and perhaps moreso than most having been totally spam-free for ~10 years up to 13th May but, I'm sorry to say, I hate the principle of mandatory delete on receipt filtering significantly more :( 

I know this an extreme view so no flames please just rational comment if felt appropriate

I'm not altogether sure I disagree with you, actually, Mike.

Most of you here will remember the "mail avalanche (http://usergroup.plus.net/forum/index.php/topic,3915.0.html)" thread of 20061206 onwards, when happychild was getting 5000+ spams a day and I couldn't get into the mailbox at all (for about a month so I guess 150,000 e-mails in the box by then).

PlusNet helped out wonderfully in the end, and everything got sorted.  The point of posting now, though, is that as far as I'm aware that spam level (has) never stopped. *but* my mail is currently manageable without PN having to do anything to it at all.

Relevant steps taken:
(1) specific mailboxes set up as per jelv's plain-English guide at http://usergroup.plus.net/forum/index.php/topic,3915.msg48834.html#msg48834
(2) "default" (ie all the rest) blackholed by Force 9.

Yes I get a percentage of spam in the existing mailboxes - but I could avoid that spam entirely (much of it siphoned off by Squirrel Mail [step 3] in any case as per jelv's instructions at http://usergroup.plus.net/forum/index.php/topic,4869.msg63379.html#msg63379 ) by deleting the affected mailboxes and advising people of a change-of-address.

I know everyone's usernames got compromised in the webmail fiasco but (apart from the tedium of having to go through steps 1, 2 and 3 above to largely-sort the spam factor) it's largely sortable without draconian measures at the ISP mail-receipt level.

The only other related possibilities that occur to me are:
(a) replace "postmaster@" by "PN-group-comms" as the default route for PN-communications (meaning that there doesn't have to be an over-riding postmaster@ route into one's mail).
(b) perhaps create an overall "black-list" (ISP-generated) for integration within SquirrelMail, such that individual users can tick the box (or otherwise) for exclusion of certain items (be they related to "adult products" or spamcop blacklists or whatever else).
(c) offer alternative addresses/usernames where required (I believe the free domains or whatever are helping in this regard).

I know it's a massive inconvenience to have to either set up 1/2/3 on any account, or to have to change username/address entirely, but if the end result is either largely-spam-free-mail without block-ISP-intervention, or renewed privacy through having a wholly-new username/address set-up, possibly worth the aggravation.

Regards,

Penny.

ps. sorry, out of time but will come back and link in the xxxx items to jelv's plain-English instructions, whenever I can get back here.
... later ... edits now made.


Title: Re: Training spam filter - any point?
Post by: mikeb on August 01, 2007, 02:55:51 pm
I think the scheme is to automatically tag with [-SPAM-] rather than to delete the message.

You may well be right (and I very much hope so) but the comment I responded to was apparently suggesting that V****A should be on the list for subject: keyword filtering - implying mandatory filtering and possible deletion on receipt rather than action by dspam or similar.  Taking a wander round forums various, there is no shortage of peeps suggesting (if not 'demanding') an extensive list of what they consider 'inappropriate' keywords.  I fully understand why some users may have a desire to see such lists implemented and I totally respect their right to request a solution that suits their particular needs ... I just don't believe that any such filtering should be done in the half-@rsed way that it appears could be the case (i.e. by not rejecting stuff on receipt but simply dumping it afterwards) and I certainly don't believe that it should be mandatory for all users.  Having said that, I am aware that messages with a subject containing the terms in the following quote are actually rejected (or were when I last checked) although some official looking comments I've seen suggest more of a silent delete approach. I must say that I believe PN appear to be taking a sensible attitude with regards to keywords so far but there does seem to be a large(ish) number of peeps wanting more.  It would be very easy to wander into what I believe is dodgy territory for the sake of a quiet life !

Quote
And the list is short:
Quote
At the moment we’re blocking any email containing one or more of the following text strings in the subject line:

^.*wondercum.*
^.*MegaDik.*
^.*WonderCum.*
^.*Wondercum.*

Yup, apparently so. But firstly the relevant words in that statement are "at the moment" and secondly, there is no real shortage of variations on those two terms specifically which either are or will shortly be used by Mr.Spammer. In addition to that, Mr.Spammer soon moves on to using other terms and in any case, it is incredibly easy to produce a 100% kosher looking message (no matter how you test it) that is in fact 100% spam and serves exactly the same purpose as those blatantly advertising W*****C** or M***D** etc.  I have several inboxes (not so) slowly filling up with such messages today alone. In fact more received today than in total over the previous 3 days :(  Keyword filtering can only work in the short term and it WILL ultimately be defeated - it's simply a matter of time.  I wouldn't mind betting that the list of terms has been increased since it was first published, it's a full time job keeping a keyword search list updated in my albeit limited experience !


Title: Re: Training spam filter - any point?
Post by: bpullen on August 02, 2007, 08:54:28 am
Quote
And the list is short:
Quote
At the moment we’re blocking any email containing one or more of the following text strings in the subject line:

^.*wondercum.*
^.*MegaDik.*
^.*WonderCum.*
^.*Wondercum.*

Yup, apparently so. But firstly the relevant words in that statement are "at the moment" and secondly, there is no real shortage of variations on those two terms specifically which either are or will shortly be used by Mr.Spammer.

I couldn't agree more about the statements regarding keyword content filtering - IMO it's a bit of a dirty way of doing things and its effectiveness is questionable. We have no immediate plans to extend this list, which was primarily to address the plethora of complaints that emails containing the above terms were still getting through. Emails advertising these products seem to have been a direct result of the Webmail security breach.


b. largely ignoring the open relay listing
Code:
x-open-relay*is+in, 0.78805,
x-open-relay*list+at, 0.78805,
x-open-relay*a+black, 0.78805,
x-open-relay*in+a, 0.78805,
x-open-relay*in, 0.78805,
x-open-relay*black, 0.78805,
x-open-relay*at+bl.spamcop.net, 0.78805,
x-open-relay*at, 0.78805,
x-open-relay*bl.spamcop.net, 0.78805,
x-open-relay*list, 0.78805


The spamicity value for all the above use to be higher, 0.95 or similar.

I'll question this and report back once I've a response.

Confirm 17 is still missing everything but what happened to the block on viagra in the subject

We've never blocked emails containing viagra in the subject line. BTW we're hoping the problem with sunmxcore17 should have been fixed following some work that was carried out this morning.

I would appreciate it if people could keep their eyes peeled and let me know if they're still receiving emails with the default Dspam scores via this server.


Title: Re: Training spam filter - any point?
Post by: quaint1 on August 02, 2007, 09:19:30 am
My inboxes have received more spam overnight than ever before! I can't be alone in this.

There must be something wrong in the way that the PN spam checkers are configured. According to reports on this thread, there are several examples of apparently much more successful filtering software than than that currently implemented by PN.

BTW, I also agree that subject filtering is not really the way to go but I do appreciate not seeing the 4 'words' that are being filtered.





Title: Re: Training spam filter - any point?
Post by: KellyD on August 02, 2007, 04:04:38 pm
My inboxes have received more spam overnight than ever before! I can't be alone in this.

Are they being delivered un marked as spam?  (I.e. with [SPAM] in the subject?)


Title: Re: Training spam filter - any point?
Post by: quaint1 on August 02, 2007, 04:29:03 pm
Hi KellyD

Yes, that was the point!  If they had been marked as -SPAM- they would not have been downloaded.

Also, I have just received an untrapped email  with wonderc## in the subject.  This is supposed to be one of the four blocked words!

Any ideas as to what has changed at the PN email 'works' recently?

Many thanks

Ian


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 02, 2007, 04:31:43 pm

And now to add to the amusement, mxcore14 is using spamicity values of 0.04 for everything just as mxcore17 has been. :(

Quote
Envelope-to: xxx@yyy.plus.com
Delivery-date: Thu, 02 Aug 2007 07:51:21 +0000
Received: by pih-sunmxcore14.plus.net with spam-scanned (PlusNet MXCore v2.00) id 1IGVSq-0006fN-Au
     for xxx@yyy.plus.com; Thu, 02 Aug 2007 07:51:20 +0000
X-Daemon-Classification: INNOCENT
Received: from [221.224.191.126] (helo=126.191.224.221.broad.sz.js.dynamic.163data.com.cn)
     by pih-sunmxcore14.plus.net with esmtp (PlusNet MXCore v2.00) id 1IGTSS-00037c-O5
     for xxx@yyy.plus.com; Thu, 02 Aug 2007 05:42:50 +0000
Received: from [221.224.191.126] by cheap-dui-lawyer.com; Thu, 2 Aug 2007 05:42:45 -0800
Message-ID: <01c7d4c7$f3c2d180$7ebfe0dd@aj>
From: "Sandy Paulson" <aj@cheap-dui-lawyer.com>
To: <xxx@yyy.plus.com>
Subject: Rolex Watches
Date: Thu, 2 Aug 2007 05:42:45 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----=_NextPart_000_0007_01C7D50B.01E61180"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Thu Aug 2 07:51:20 2007
X-DSPAM-Confidence: 1.0000
X-DSPAM-Improbability: 1 in 98689409 chance of being spam
X-DSPAM-Probability: 0.0023
X-DSPAM-Factors: 27,
     X-PN-VirusFiltered*MXCore, 0.40000,
     equiv=Content+Type, 0.40000,
     From*"Sandy Paulson" <aj@cheap-dui-lawyer.com>, 0.40000,
     AND+MORE, 0.40000,
     AND+MORE, 0.40000,
     CARTIER, 0.40000,
     CARTIER, 0.40000,
     Url*cn, 0.40000,
     size=6>EXQUISITE+REPLICA, 0.40000,
     From*dui, 0.40000,
     2800, 0.40000,
     X-PN-VirusFiltered*MXCore+(v4.00), 0.40000,
     1106", 0.40000,
     ROLEX, 0.40000,
     ROLEX, 0.40000,
     Message-ID*aj>, 0.40000,
     Received*weblogs, 0.40000,
     X-MimeOLE*By, 0.40000,
     message, 0.40000,
     size=6>&nbsp, 0.40000,
     Received*v2.00), 0.40000,
     size=6>&nbsp+ROLEX, 0.40000,
     MORE, 0.40000,
     MORE, 0.40000,
     VISIT, 0.40000,
     been, 0.40000,
     been, 0.40000

SW.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 02, 2007, 04:37:53 pm
BTW we're hoping the problem with sunmxcore17 should have been fixed following some work that was carried out this morning.

Yep, mxcore17 is now checking messages ... it is also the creator of the 1st false-positive in a long time. :(

To take its place, mxcore14 is now using 0.04 default values now.

SW.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 02, 2007, 05:22:57 pm

And now to add to the amusement, mxcore14 is using spamicity values of 0.04 for everything just as mxcore17 has been. :(

Thanks for the feedback. I'll get it re-raised.

Edit: OK, the update job ran 30 mins after this email arrived at sunmxcore14 so it shouldn't be happening now. I'd be interested if you've any examples from after 7:00am.

Another Edit: Just sent a test email via mxcore14 and it's still happening  :x


Title: Re: Training spam filter - any point?
Post by: jelv1 on August 03, 2007, 10:51:42 am
It's happening again this morning - same server.

See post on Community (http://community.plus.net/forum/index.php?topic=454.new#new)


Title: Re: Training spam filter - any point?
Post by: jelv1 on August 03, 2007, 11:25:14 am
I seem to have made a difference in the amount of spam being received on one of my domains. I've added a Priority 30 record pointing to one of the London servers which does not accept connections on port 25. I've just looked at the tagged spam where I have several to @username.plus.com but none to the domain.

It looks like this idea may be worth following up.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 03, 2007, 11:35:38 am
It's happening again this morning - same server.

See post on Community (http://community.plus.net/forum/index.php?topic=454.new#new)

We're still investigating John.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 03, 2007, 01:24:06 pm

Another Edit: Just sent a test email via mxcore14 and it's still happening  :x


Still getting these via mxcore14 today. :(

Is this the same problem as happened on mxcore17 ?

SW.


Title: Re: Training spam filter - any point?
Post by: terminal on August 03, 2007, 10:39:32 pm
Is anyone else seeing an increase in false positives? in the last week I have had emails from game.co.uk, play.com, softuk.com, roxio.com and dabs.com - all well known purveyors of spam, not!

yet offers to buy adobe products, watches, viagra and various other pills are getting through


Title: Re: Training spam filter - any point?
Post by: jelv1 on August 03, 2007, 10:53:18 pm
Regarding the missed spam, check the headers - I bet most of them have come through sunmxcore14.


Title: Re: Training spam filter - any point?
Post by: terminal on August 04, 2007, 03:27:42 pm
another false positive, this time from amazon.co.uk  this is getting beyond a joke


Title: Re: Training spam filter - any point?
Post by: bpullen on August 04, 2007, 03:30:18 pm
Is this the same problem as happened on mxcore17 ?

Yes I think so, but why it's happening we're still investigating I'm afraid. I should be able to provide an update on Monday.


Title: Re: Training spam filter - any point?
Post by: quaint1 on August 04, 2007, 03:52:39 pm
I had a false positive from Amazon UK a while ago but not recently :-).  Wonder if this is another random MXcore specific issue.



Title: Re: Training spam filter - any point?
Post by: mikeb on August 05, 2007, 12:24:57 am
(http://www.twowheels.force9.co.uk/TEMP/spam5.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

After 12 weeks of (http://www.twowheels.force9.co.uk/STUFF/SMILIES/headbang.gif) I really can't be @rsed to analyse or guess any more so please draw your own conclusions.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 07, 2007, 04:42:53 pm

Another Edit: Just sent a test email via mxcore14 and it's still happening  :x


Still getting these via mxcore14 today. :(

Is this the same problem as happened on mxcore17 ?

The problem with mxcore14 should be resolve now too so I'd appreciate any feedback supporting or disproving this.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 07, 2007, 05:07:10 pm

I had an untagged Viagra message at 10:12 this morning, Tuesday August 7th. Is this before or after the issue was fixed?

SW.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 07, 2007, 05:13:42 pm
After.

I believe we fixed the problem at about 4:30pm this afternoon. The Dspam database on sunmxcore14 was corrupted. We've replaced it with a copy from another server, and will check tomorrow to make sure it's updated normally.


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 08, 2007, 01:55:53 pm

OK, so it now seems mxcore14 is working correctly.  :-D

But now ... mxcore21 seems to be the weakest link. :( It has let through a couple of messages that it should not and I can see similar messages be tagged correctly by the other servers.

Is the DSpam database on mxcore21 'the latest' and same as the others ?

SW.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 08, 2007, 03:22:26 pm
But now ... mxcore21 seems to be the weakest link. :( It has let through a couple of messages that it should not and I can see similar messages be tagged correctly by the other servers.

Aaarrrrrgh  :cry:

Do the headers have the default 0.4 Dspam scoring?


Title: Re: Training spam filter - any point?
Post by: jelv1 on August 08, 2007, 03:39:50 pm
I've just had one I would have hoped would have been tagged through that server. It DIDN'T have the default scores.


Title: Re: Training spam filter - any point?
Post by: bpullen on August 08, 2007, 04:20:25 pm
Which would suggest a different problem to a certain degree. I'm looking into why seemingly similar emails are marked by some servers but not others as a separate issue.

Edit: Ok, after a bit of further digging Riz has uncovered the following...

  • The training script runs each night, however the database time stamps on all servers are different sometimes with days difference.
  • Some servers did not have the correct scripts installed to train dspam from the correct mail sources.
  • Some servers were still trying to mount the old Storagetek which at times was causing the script to hang and prevent any future training.

All the above have been fixed and we're looking at streamlining the way the spam training/updates are done.

Please do let me know if you see inconsistencies between the servers again.[/list]


Title: Re: Training spam filter - any point?
Post by: MauriceB on August 08, 2007, 05:21:15 pm
Whilst you're checking Bob - you might like to take a look at Problem ID: 22511189 a simple message with attachment marked as SPAM via PlusNet but not via my alternative email route?  Support response is 'Baffled why this is marked as SPAM......'

M


Title: Re: Training spam filter - any point?
Post by: godsell4 on August 10, 2007, 09:02:22 am

No SPAM today ... Thank You.

In fact this is the 2nd morning in a row where there has been no untagged SPAM in my mailbox.

 8-)

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on August 12, 2007, 11:53:18 pm
This weeks data. Curiouser and curiouser cried Alice  :|

(http://www.twowheels.force9.co.uk/TEMP/spam6.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: Oldjim on August 13, 2007, 05:16:20 pm
just been looking at my postmaster spam folder - everything correctly identified - and I found this one. I would never have expected it to be picked up as spam. I am impressed.
Quote
X-DSPAM-Factors: 15,
     technology+this, 0.00824,
     based+scientific, 0.99000,
     Date*11+0900, 0.99000,
     Arial"+size=2>The, 0.99000,
     five+senses, 0.99000,
     facilitates+Additionally, 0.99000,
     artist+like, 0.99000,
     whole+picture, 0.99000,
     literacy+the, 0.99000,
     INTERNET+imagination, 0.99000,
     your+five, 0.99000,
     flourish+as, 0.99000,
     2600+181", 0.99000,
     design+aid, 0.99000,
     There+needs, 0.01000
Just to add this is the text in the message
Quote

prevalent.  Children are using it at a younger age, starting in software to provide
me with any assistance. I work with other However, Live Aid has decynicised him to
an extent.  Billy are not able to explore a locale with your five senses. It is
our work environment, we are being controlled by the systems safe  environment is
quiet real. The obsservation by Kate Bush, INTERNET, imagination will flourish as
they try to grasp the him/her at many different levels.  There needs to be an
awareness
cohesion of information from all the countries of the world.  In man, who says,
"Computers will never take over good old hard work talk on how important it is!" He
had been impressed by the to society as it trains, educates, facilitates.
Additionally, VR
individual designer and his/her original vision. The fact is if literacy, the
concept of a bona-fide-computer-based scientific things I had not imagined possible
before. I don't suppose Adrian tree realistically on canvas  who were dismayed at
the idea that


Title: Re: Training spam filter - any point?
Post by: mikeb on August 21, 2007, 04:16:34 am
Sorry, a bit late on parade but here's last weeks spam stats.  Was far to busy enjoying mucho loud music, a jolly fine array of real ales various and a variety of culinary delights to even think about chopped ham and pork based products
(http://www.twowheels.force9.co.uk/STUFF/SMILIES/bigdrink.gif) and :clap: being way better than  :spam:

Mind you, as a suitable penalty for seriously enjoying these sins, it's just taken me almost 45 mins to sort all the end-of-last-week spammy delights out  :cry2:

(http://www.twowheels.force9.co.uk/TEMP/spam7.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

It's getting more and more strange as time goes on. Even the random spam volume which has never decreased by any significant amount in years and always exhibited a steadily increasing trend has now become as inconsistent as the recently acquired targeted spam volume. Definitely very, very strange that these apparent changes just somehow appear to coincide with mail platform changes and so on ...

... wanders off very confused  :? as to why it's all cold and dark outside, thinking that just maybe he should be in bed rather than having recently woken up after going for "just a couple of hours" kip this afternoon and not to mention fighting this strangely curious craving for ale/munchies or whacking the stereo up to 11 but settles for adopting a 'who cares' attitude so heads off to the fridge to forage for anything remotely edible and/or drinkable before finding the decent headphones anyway  !!
:cheers:

PS: Where have all these rather nice shiny new smilies come from - I dunno, I turn my back for like 5 mins and a shedload appear as if by magic. 

Normal service will (possibly) return when reality settles in but until then :crazy:


Title: Re: Training spam filter - any point?
Post by: mikeb on August 21, 2007, 04:19:27 am
Erhm, this was an edit that turned into a reply for some odd reason (but most likely due to mouse/finger/eye coordination issues after a period of not using same) so has been deleted


Title: Re: Training spam filter - any point?
Post by: quaint1 on August 21, 2007, 02:50:42 pm
Thanks again Mikeb, was wondering where the stats had gone.  Glad you enjoyed a debauched wekend. :-D

Is it a coincidence but I have had almost* nil undetectected spam across seven mailboxes for several days now.  Could it be that PN have got their mxcores all singing from the same (and effective) song sheet, or is it just the reduced volume overall that your stats are showing?

Hope its the former. Thanks to all you guys who pointed PN in the, hopefully, right direction.

Any way, it's nice to have a virtually spam free mail system again.

* Just one offer of a PhD got through.



Title: Re: Training spam filter - any point?
Post by: Oldjim on August 21, 2007, 04:15:20 pm
Only one got through which asked me to verify my login for the bartenders guide.
When I clicked on the link which was a url it took me to another page which asked me to download a graphic component to view the window. right clicked on it and checked properties - it was an exe file at which point I had two options save it as a file and see what my security package thought of it or delete the email. so I deleted it.


Title: Re: Training spam filter - any point?
Post by: mikeb on August 22, 2007, 10:39:18 am
Could it be that PN have got their mxcores all singing from the same (and effective) song sheet, or is it just the reduced volume overall that your stats are showing?

Hope its the former. Thanks to all you guys who pointed PN in the, hopefully, right direction.

Incoming/unfiltered targeted spam seems to be at an all time low so far this week (famous last words and all that) although it is getting more and more inconsistent across multiple accounts. Up until quite recently, all compromised addresses/mboxes/accounts were receiving a pretty much identical volume although certainly not identical messages. However, there is a large disparity developing this week in particular with the most spammed being 3x the least spammed. It may also be interesting to note that my F9 addresses are consistently receiving more spam than PN addresses. Random spam appears to be around the expected level, it's just targeted spam to the recently compromised addresses that is very much reduced.

The shiny new kit was only introduced again this morning (if it did actually happen and is now being used in anger, of course) so it's not that causing the apparent significant reduction to date. It's down to either the mandatory PN filtering on receipt or the spammers not sending the stuff out as it was the last time there was a huge reduction in volume.

I guess we're looking at seeing a significant reduction this week and quite likely a sharp increase next week as the d@mn spammers change tactics again to defeat whatever it is that has been blocking their crap :(

Edited to add:

The shiny new kit is live and working as I have a small number of messages with the new header.

Do I get the impression that this new kit is now checking the validity of existing routing headers on receipt (like I mentioned ages back would be a real good idea) or is it just coincidence that the messages I have also happen to have forged routing headers ?

Do I also get the impression that only mail received via mx-core passes through this new kit ?  If so that seems a bit strange seeing that PN always appear to claim that most spam comes in via mx-last and therefore most messages on mx-last are spam.

[homer_simpson]
No beer ale and no TV music makes homer mikeb go ... something, something  :cry:
[/homer_simpson]


Title: Re: Training spam filter - any point?
Post by: mikeb on August 26, 2007, 12:38:00 am
Here's last weeks spam stats.  An unexplained all time low for targeted spam to the recently compromised addresses - in fact several days with no spam at all on some addresses !  The figures have also, no doubt, been affected by the e-mail problems on Wednesday.  I lost somewhere around 75% of genuine mail on Wednesday and the random spam volume is also significantly reduced from that which could reasonably have been expected for the day. Only 6 messages had the extra header added by the new kit.

(http://www.twowheels.force9.co.uk/TEMP/spam8.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: mikeb on September 02, 2007, 01:27:08 am
Here's last weeks spam stats.  No surprise that volume rose from the all time low of the previous week but not by anything close to as much as I was expecting TBH. The majority of the increase was down to image spam plus what seems to be a growing trend for complete gibberish text in the subject line.

(http://www.twowheels.force9.co.uk/TEMP/spam9.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: mikeb on September 09, 2007, 12:24:11 am
Here's last weeks spam stats. 

(http://www.twowheels.force9.co.uk/TEMP/spam10.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: jelv1 on September 09, 2007, 08:52:50 am
After a couple of weeks with very little getting through, I've seen more untagged spam in the last week or so - thank God for the new buttons in webmail - lets hope we see an improvement if more people are reporting spam.

Can Plusnet confirm that all emails forwarded are used please.


Title: Re: Training spam filter - any point?
Post by: mikeb on September 09, 2007, 12:57:01 pm
I'm fairly certain that PN have said in the past that only a relatively small sample from all forwarded 'spam' messages is used to train the filter.  The only 'good' news was I think they also said these messages are reviewed manually before being used to ensure that they really are spam messages and not a mistake or from someone being stupid.


Title: Re: Training spam filter - any point?
Post by: NB on September 09, 2007, 03:12:02 pm
ISTR it was Bob who gave the details in a post in the PUG forums a while back.  It was something like 40 spam/not spam messages they used on each training run and they were hand picked from all the spam/not spam reports so as to have the best benefit in the training.  I'll see if I can find the post later, but I have to go out just now.


Title: Re: Training spam filter - any point?
Post by: bpullen on September 18, 2007, 01:20:37 pm
The information is in this very thread!

Clicky! (http://usergroup.plus.net/forum/index.php/topic,4852.msg63228.html#msg63228)


Title: Re: Training spam filter - any point?
Post by: godsell4 on September 18, 2007, 09:42:29 pm

And now to add to the amusement, mxcore14 is using spamicity values of 0.04 for everything ...


mxcore01 is doing this now.

SW.


Quote
X-Daemon-Classification: INNOCENT
Envelope-to: xxx@yyy.plus.com
Delivery-date: Tue, 18 Sep 2007 03:54:27 +0100
Received: from p3194-ipbf2701marunouchi.tokyo.ocn.ne.jp ([122.18.229.194] helo=deenaflentge.com)
     by fhw-sunmxcore01.plus.net with smtp (PlusNet MXCore v2.00) id 1IXTEI-0003RC-Oz
     for xxx@yyy.plus.com; Tue, 18 Sep 2007 03:54:27 +0100
Received: from your170b1dbacb ([141.225.55.145])
     by 122.18.229.194 (9.1.4/8.4.7) with SMTP id 09a257328b6898;
     Tue, 18 Sep 2007 11:54:19 +0900
Message-ID: <001001c7f9ea$a536e450$011de33c@your170b1dbacb>
From: "Joanna Howard" <wirelativity@deenaflentge.com>
To: "xxx@yyy" <xxx@yyy.plus.com>
Subject: Penis enlargement, as we know it, will never be the same.
Date: Tue, 18 Sep 2007 11:50:14 +0900
MIME-Version: 1.0
Content-Type: text/plain;
     format=flowed;
     charset="iso-8859-1";
     reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.181
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2969
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Tue Sep 18 03:54:27 2007
X-DSPAM-Confidence: 1.0000
X-DSPAM-Improbability: 1 in 98689409 chance of being spam
X-DSPAM-Probability: 0.0023
X-DSPAM-Factors: 27,
     X-PN-VirusFiltered*MXCore, 0.40000,
     Received*Sep, 0.40000,
     Received*Sep, 0.40000,
     From*<wirelativity, 0.40000,
     Received*Tue, 0.40000,
     Received*Tue, 0.40000,
     Subject*it, 0.40000,
     X-MimeOLE*MimeOLE+V6.00.3790.2969, 0.40000,
     Message-ID*your170b1dbacb>, 0.40000,
     Subject*know+it, 0.40000,
     Subject*never, 0.40000,
     X-PN-VirusFiltered*MXCore+(v4.00), 0.40000,
     Received*122.18.229.194+(9.1.4/8.4.7), 0.40000,
     Date*2007+11, 0.40000,
     Received*0003RC, 0.40000,
     Subject*enlargement, 0.40000,
     Received*weblogs, 0.40000,
     X-MimeOLE*By, 0.40000,
     Received*0003RC+Oz, 0.40000,
     Received*v2.00), 0.40000,
     Subject*enlargement+as, 0.40000,
     Subject*will, 0.40000,
     been, 0.40000,
     Received*fhw, 0.40000,
     Received*fhw+sunmxcore01.plus.net, 0.40000,
     Take+With, 0.40000,
     X-MimeOLE*Produced, 0.40000


Title: Re: Training spam filter - any point?
Post by: mikeb on September 19, 2007, 12:17:58 am
FWIW, here's last weeks spam stats. 

(http://www.twowheels.force9.co.uk/TEMP/spam11.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: jelv1 on September 19, 2007, 10:17:07 am
I'm seeing more missed spam at the moment. I have been using the new buttons but I'm not seeing any improvement. I'm just wondering how many of the missed spam emails I'm sending are actually be used and if I'm actually wasting my time. My repeated request on the Community forums for the percentage of reported spam/ham that is used seems to be being ignored here (http://community.plus.net/forum/index.php?topic=1179.msg15212#msg15212).

If I'm seeing very, very significantly more missed spam than wrongly tagged ham (and from other posts on the forums that seems to be other peoples experience), could someone explain the logic of feeding in equal sized batches of 400 spam/ham?


Title: Re: Training spam filter - any point?
Post by: godsell4 on September 19, 2007, 11:40:49 am
... could someone explain the logic of feeding in equal sized batches of 400 spam/ham?

So it has a balanced diet ?    :-o

SW


Title: Re: Training spam filter - any point?
Post by: jelv1 on September 19, 2007, 12:29:49 pm
Thank you - the door plank is over there - start walking!


Title: Re: Training spam filter - any point?
Post by: mikeb on September 23, 2007, 01:00:25 am
FWIW, here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam12.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Obviously, the new/improved/whatevered deletion/rejection at MX level processing has had a variety of implications over the week.  The most notable being the sudden loss of a significant number of 100% genuine e-mails from various sources and the least notable being little to no affect on the volume of spam received, in fact a small increase on average on last week.

If the processes were working as intended, rejecting spam with no sensible rDNS entry would probably have dumped somewhere between 25 and 50% of my spam. Rejecting spam with other DNS issues and/or blatantly forged headers would probably have dumped somewhere around a similar amount. However, rejecting spam from a compromised dynamic address would dump virtually 100%. The only possible conclusion one can draw from analysing the spam received against what the new processes are supposed to be doing is that the implementation is highly unreliable and very inconsistent.  When you consider that PN now also claim to have been rejecting spam based on rDNS (or lack thereof) etc. for years that makes it even worse.  There is and always has been a vast majority of blatant spam with dodgy DNS issues and forged headers etc. from a relatively small number of compromised dynamic IPs.  If the processes were working as claimed then I could quite reasonably expect to see virtually zero spam for most of the time. This is clearly not the case and whilst losing genuine mail and experiencing the associated hassle might be a relatively small price to pay in the short-term for receiving no spam in the longer term, seeing virtually no difference in spam but still losing a significant amount of genuine mail is regrettably not a price that I am personally prepared to pay under any circumstances.

Bear in mind that PN have previously suggested that the dramatic changes shown on the graph are not a result of mail platform or filtering changes despite the apparent co-incidences so now is not a good time to change the story and suggest that the low points are where PN were testing out the new processes or whatever and use that as an indication of how things are going to look in the future ;)  The one and only event that PN have (sort of) admitted to that would have had a slight affect on the data above is the very short lived Critical Path trial and the associated loss of mail in particular.  Next week's data will be very interesting to say the least ... if I can be @rsed to keep on monitoring the problem rather than giving it up as a lost cause and spending my time doing something much more worthwhile and interesting.


Title: Re: Training spam filter - any point?
Post by: pwebb on September 23, 2007, 09:55:16 am
Mikeb,

I'm not surprised that the graph you have posted shows very little decrease for last week as the change were only rolled to the primary mail servers on Thursday. What I have seen on one of my PlusNet accounts that had no spam before the webmail incident that spam in the spam folder has reduced by about two thirds.

We are still training the new dynamic IP blocking system as the way the system has been implemented if spam is seen from an IP address, the range is checked and if it is dynamic the range is added to the database so that more spam from that range will not be allowed.

I'd be interested if you could tell me how many legitimate mails that you are aware of that this change has blocked for you?

Can you give me some example headers of spam that you are still getting so that I can have the database checked to see why these ranges are not in or the DNS checks are not capturing it?

I can see that what we have done has really annoyed you and I want to do everything that I can to resolve this so that the system is working to your satisfaction, but without working together this will not happen.

Phil


Title: Re: Training spam filter - any point?
Post by: mikeb on September 23, 2007, 11:26:28 pm
May I suggest that you take a wander over to the rather unfortunately titled "Led Zep" thread for examples - that thread started off as a query about 1 particular missing email but subsequently some rather more obvious ones were discovered as being missing. It has also turned into a discussion on strange apparent inconsistencies etc. As for other genuine mail deleted/rejected/whatevered I would guess there are probably more that I'm not yet aware of that have been dumped due to DNS or IP issues.


Title: Re: Training spam filter - any point?
Post by: godsell4 on September 27, 2007, 01:26:05 pm
mxcore18 now applying default 0.400 spamicity values ....

Quote
X-Daemon-Classification: INNOCENT
Envelope-to: abcd@defg.plus.com
Delivery-date: Wed, 26 Sep 2007 10:39:07 +0100
Received: from 89.pool85-59-69.dynamic.orange.es ([85.59.69.89])
     by pih-sunmxcore18.plus.net with esmtp (PlusNet MXCore v2.00) id 1IaTMI-0003b9-CK
     for abcd@defg.plus.com; Wed, 26 Sep 2007 10:39:07 +0100
Received: from [85.59.69.89] by mail2.johnnybull.com; Wed, 26 Sep 2007 10:39:05 +0100
Message-ID: <01c80021$142e7990$59453b55@pete>
From: "Bruno Ingram" <pete@johnnybull.com>
To: <abcd@defg.plus.com>
Subject: 100mg x 90 pills US $ 159.95
Date: Wed, 26 Sep 2007 10:39:05 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
     type="multipart/alternative";
     boundary="----=_NextPart_000_0006_01C80021.142E7990"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Sep 26 10:39:08 2007
X-DSPAM-Confidence: 1.0000
X-DSPAM-Improbability: 1 in 98689409 chance of being spam
X-DSPAM-Probability: 0.0023
X-DSPAM-Factors: 27,
     From*<pete, 0.40000,
     sand+That, 0.40000,
     sand+That, 0.40000,
     4KH0LKL", 0.40000,
     X-PN-VirusFiltered*MXCore, 0.40000,
     Received*Sep, 0.40000,
     Received*Sep, 0.40000,
     That, 0.40000,
     That, 0.40000,
     Received*26+Sep, 0.40000,
     Received*26+Sep, 0.40000,
     things+To, 0.40000,
     things+To, 0.40000,
     hspace=0+src="cid, 0.40000,
     just, 0.40000,
     just, 0.40000,
     equiv=Content+Type, 0.40000,
     Received*from+89.pool85, 0.40000,
     us, 0.40000,
     us, 0.40000,
     watch, 0.40000,
     watch, 0.40000,
     be+aliveHis, 0.40000,
     be+aliveHis, 0.40000,
     reach+out, 0.40000,
     reach+out, 0.40000,
     Received*2007+10, 0.40000
       


Title: Re: Training spam filter - any point?
Post by: Oldjim on September 28, 2007, 08:57:54 am
This is getting silly - how did this get through - note all the open relays
Quote
Delivery-date: Fri, 28 Sep 2007 05:11:06 +0100
Received: from jaringac2pc.jaring.my ([61.6.56.23])
     by pih-sunmxcore14.plus.net with esmtp (PlusNet MXCore v2.00) id 1Ib7Bw-0007LM-LL
     for ****.plus.com; Fri, 28 Sep 2007 05:11:05 +0100
Received: from aida ([155.126.72.17]:14319 "EHLO aida"
   smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>)
   by jaringac2pc.jaring.my with ESMTP id S22RAYQAUWBFBOQP (ORCPT
   <rfc822;*****.plus.com@mx.core.plus.net>);
   Fri, 28 Sep 2007 12:10:43 +0800
Message-ID: <000401c80185$778915d0$1738063d@aida>
From: "rynette Dutta" <rynette335@leaderresources.org>
To: ****
Subject: sausewin
Date: Fri, 28 Sep 2007 12:10:12 +0800
Message-ID: <000401c80185$778915d0$1738063d@aida>
MIME-Version: 1.0
Content-Type: text/plain;
   charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
x-open-relay: 61.6.56.23 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri Sep 28 05:11:06 2007
X-DSPAM-Confidence: 0.5444
X-DSPAM-Improbability: 1 in 120 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Factors: 27,
   Envelope-to*james, 0.00188,
   Delivery-date*28+Sep, 0.00446,
   Delivery-date*Fri+28, 0.00796,
   news+should, 0.01000,
   soon+For, 0.01000,
   Received*mx.core.plus.net>), 0.99000,
   company+recently, 0.01000,
   Date*Fri+28, 0.02582,
   Received*<rfc822, 0.97226,
   Received*(ORCPT, 0.97203,
   don't+currently, 0.03670,
   Received*Fri+28, 0.04479,
   Received*Fri+28, 0.04479,
   broker+now, 0.95461,
   your+broker, 0.95305,
   (if+not, 0.04835,
   To*james, 0.04835,
   13+and, 0.05251,
   this+now, 0.05905,
   x-open-relay*is+in, 0.93113,
   x-open-relay*list+at, 0.93113,
   x-open-relay*a+black, 0.93113,
   x-open-relay*in+a, 0.93113,
   x-open-relay*in, 0.93113,
   x-open-relay*black, 0.93113,
   x-open-relay*at+bl.spamcop.net, 0.93113,
   x-open-relay*at, 0.93113


Title: Re: Training spam filter - any point?
Post by: mikeb on September 30, 2007, 02:08:23 am
FWIW, here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam13.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

Hmmmmmm, I see no decrease over all.  Answers on a postcard please ...  :-P


Title: Re: Training spam filter - any point?
Post by: mikeb on September 30, 2007, 11:23:25 pm
Good news everyone ! ... NOT ... it would appear that Large Richard (aka M***D**) is alive and kicking today and most certainly back with us and even bigger than ever :(  Several messages so far today with the (in)famous male enhancement pill trade name blatantly contained in the subject line.  Typical set of headers below:

Quote
Envelope-to: My_Account@My_Account.plus.com
Delivery-date: Sun, 30 Sep 2007 17:39:28 +0100
Received: from [90.189.200.97] (helo=nova.edu)
     by pih-sunmxcore16.plus.net with smtp (PlusNet MXCore v2.00) id 1Ic1pG-0004G8-LB
     for My_Account@My_Account.plus.com; Sun, 30 Sep 2007 17:39:27 +0100
Received: from 64.18.5.14 (HELO kaplancollege.edu.mail8.psmtp.com)
     by twowheels.plus.com with esmtp (IOWKRXBEXIZO CBJLY)
     id 3Uk5lg-qEhnKT-ha
     for My_Account@My_Account.plus.com; Fri, 30 Sep 2005 23:37:05 +0700
Message-ID: <00fe01c5c5dd$31001360$c0a80102@Marta>
From: "Marta T. Waddell" <Marta@kaplancollege.com>
To: "Shawn K. Ramey" <My_Account@My_Account.plus.com>
Subject: You can do it! Penis enlargement with M***d** is what you need!
Date: Fri, 30 Sep 2005 23:37:05 +0700

Absolutely no shortage of other similar messages all via various different servers so apparently not an individual server problem.

NOTE: Previous messages seemed to have M***D** in the subject line rather than M***d** so can I put my money on someone not adding an appropriate entry for ALL the various permutations of lowercase, caps, spaces, underscores etc. ?  Fundamental error methinks ;)  Although, having said that, I also seem to have just a few messages with M***D** in the subject line as well so it really looks as though the filtering has gone all t*ts up in any case  :roll:


Title: Re: Training spam filter - any point?
Post by: Matt_2k34 on September 30, 2007, 11:56:48 pm
really? wow i havent had any obscene emails, just ones with 4/5 random numbers as the subject, and adobe / pills inside :)


Title: Re: Training spam filter - any point?
Post by: godsell4 on October 05, 2007, 01:17:08 pm

Why has the reference to bl.spamcop.net been removed from the spam factors database?

I mean the line for e-mail headers we see that reads.

x-open-relay: 218.125.172.99 is in a black list at bl.spamcop.net

Is now not being picked up as one of the values in X-DSPAM-Factors: I would say >90% of untagged SPAM getting through to me has this line in the headers. :(

SW.


Title: Re: Training spam filter - any point?
Post by: mikeb on October 07, 2007, 02:48:52 am
FWIW, here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam14.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

It was looking as though the figures for this week would have been an increase on last week, although a reduced rate of increase on the previous two weeks, but the rejection of messages with no sender IP rDNS since Thursday(ish) has resulted in a small decrease on average.  Assuming that the amount of spam in general doesn't go mental next week and the spammers don't fix the fairly easily resolved lack of rDNS entry then there should be a more significant decrease next week.


Title: Re: Training spam filter - any point?
Post by: mikeb on October 14, 2007, 12:35:12 am
FWIW, here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam15.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

The generally spam volume has decreased, presumably due to all the 'new' spammy IPs getting black-listed in various places rather than anything else. The PN rDNS checks have been in and out so often that I'm not sure what effect they had (other than some lost genuine mail) but some of the reduction will have been due to that although not a huge amount. The number of spam messages without rDNS seems pretty small on the days when checking was disabled when compared to that in previous weeks.


Title: Re: Training spam filter - any point?
Post by: mikeb on October 21, 2007, 12:54:25 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam16.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: mikeb on October 28, 2007, 12:43:56 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam17.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.


Title: Re: Training spam filter - any point?
Post by: mikeb on November 04, 2007, 12:23:35 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam18.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

As a result of the criticalpath boxes being slowly introduced during the current trial, 72 spam messages out of the total 532 spam messages had the new "suspected spam" header added - that's around 14%.  Not bad seeing that only a few mx-cores have had the criticalpath boxes inserted so far and mx-last has none at all :) The only negative that I've spotted so far is one single 100% genuine message which was tagged by criticalpath for no apparent reason whatsoever (clicky for linky) (http://usergroup.plus.net/forum/index.php/topic,5002.msg69604.html#msg69604). I've also seen a small number of genuine messages received via the criticalpath boxes that passed through untagged but I haven't spotted any spam messages passing through the criticalpath boxes that weren't tagged.


Title: Re: Training spam filter - any point?
Post by: mikeb on November 11, 2007, 12:55:25 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam19.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

As a result of the criticalpath boxes being slowly introduced during the current trial, 131 spam messages out of the total 462 spam messages had the new "suspected spam" header added - that's around 28%.  Not bad seeing that not all mx-cores have had the criticalpath boxes inserted so far and mx-last has none at all :) I even think I'm beginning to like criticalpath ... which is all a bit scary really considering my previous (adverse) comments various !

On the negative side, two 100% genuine messages have been tagged by criticalpath for no apparent reason whatsoever.  Both messages were from one of the two sources that were tagged last week. However, the other source of 100% genuine messages that was previously tagged came through without getting tagged this week. There were no apparent changes in sender IP, address(es), routing and so on therefore I assume some changes have been made somewhere as the tagged and not tagged messages appear identical in all relevant ways.  In addition I have spotted eight 100% obvious spam messages received via the criticalpath boxes that were NOT tagged as 'suspected spam' this week.  I have more than a sneaky suspicion that these may be down to DNS platform issues (such as timeouts) especially because near-identical spam messages received around the same time were tagged as such. I have also been seeing occasional random problems with DNS look-ups recently.

Needless to say, the bulk of spam is now being delivered via MX-last but let me say this once again before anyone has any 'bright' ideas: NOT ALL MAIL delivered by MX-last is by definition SPAM, so let's not be making any rash decisions regarding de-spamming of MX-lasts please !  I generally seem to get a very significant amount of genuine mail delivered via MX-last.

... wanders off to 'celebrate' six months of spam - any excuse to liberate a nicely chilled green bottle from Mr.Fridge and all that
(http://www.twowheels.force9.co.uk/STUFF/SMILIES/drunk.gif)


Title: Re: Training spam filter - any point?
Post by: MauriceB on November 11, 2007, 11:45:54 am
Thanks for the continued updates Mike.  Looks like there may be some optimism on the SPAM problem at last :angel:


Title: Re: Training spam filter - any point?
Post by: jelv1 on November 12, 2007, 08:53:55 am
Mikeb, Have you been getting the MONUMENTAL MARKETING INC spams? If so I suspect the favourable trend in your graphs is going to show a bit of a set-back!


Title: Re: Training spam filter - any point?
Post by: Oldjim on November 12, 2007, 09:23:05 am
I would agree with that - the spam volume has increased a lot recently


Title: Re: Training spam filter - any point?
Post by: dgdclynx on November 12, 2007, 11:17:54 am
I have noticed the spam volume increase but I hoped it was down to the fiddling with PNs antispam checker.


Title: Re: Training spam filter - any point?
Post by: spraxyt on November 12, 2007, 12:11:54 pm
I'm feeling deprived  :no:  no spam for over 24 hours (apart from one that was missed which I've reported).


Title: Re: Training spam filter - any point?
Post by: Oldjim on November 12, 2007, 03:44:10 pm
just checked my spam folders and I have received more unidentified spam than identified over the last two days - must do better


Title: Re: Training spam filter - any point?
Post by: mikeb on November 13, 2007, 11:53:21 am
Mikeb, Have you been getting the MONUMENTAL MARKETING INC spams? If so I suspect the favourable trend in your graphs is going to show a bit of a set-back!

Don't worry ... I've got way more than my fair share of them, unfortunately, and every d@mn one is also CC'd and BCC'd to several variations on each A/C for added amusement value !  But you're right, it's looking like it's going to be a heavy(ish) week based on figures to date :(  However, any billy-no-mates users who are feeling unloved and unwanted because they're not getting them can provide me with their addy and I'll forward them some if they want to join the club :evil:  Maybe worth noting that these are not coming as a result of the webmail compromise in my case though.  The volume of spam to all the PN compromised addresses is very low again at the mo.

Still getting occasional random untagged blatant spams via criticalpath as well as the very occasional tagged genuine message though.

... wanders off to instruct stockbroker to buy-buy-buy  :lol:


Title: Re: Training spam filter - any point?
Post by: pjmarsh on November 13, 2007, 12:36:39 pm
...However, any billy-no-mates users who are feeling unloved and unwanted because they're not getting them can provide me with their addy and I'll forward them some if they want to join the club :evil:...
Alternativelt post your email address here and I'm sure before too long someone will send you your very own spam!  8-)

Phil


Title: Re: Training spam filter - any point?
Post by: mikeb on November 14, 2007, 11:05:06 am
Ah yes, but that would be just common or garden spam. What I'm offering isn't just ordinary random spam, it is specially hand selected top quality kosher spam delivered with the personal touch for your added viewing pleasure.  Every little helps and all that :P

... wanders off trying to work out why his usually stony-faced stockbroker keeps going into fits of giggles whenever I call him to buy more. Doesn't he understand a good buy when he sees it ? With all this advice to buy at mucho cheapness because it's going to skyrocket real soon now it can't possibly be wrong can it !  I wonder how many stupid people actually do fall for this sort of nonsense tho  :?


Title: Re: Training spam filter - any point?
Post by: jelv1 on November 14, 2007, 05:04:51 pm
I wonder how many stupid people actually do fall for this sort of nonsense tho  :?

Enough to make it profitable for the spammers!

Look at http://finance.yahoo.com/q/bc?s=MNUM.OB&t=5d and observe the volume of trades, then look at the Historical Prices and see the normal volume of trades on this stock (clue: on many days it is a nice round figure).


Title: Re: Training spam filter - any point?
Post by: jelv1 on November 15, 2007, 11:13:44 pm
A week or so ago I turned on the junk mail detection in Thunderbird and have been training the filter since then. Plusnet's spam detection has been running for a considerable time longer and should therefore be far better trained seeing as the volume of emails it processes is far higher and therefore has the benefit of more training data. Right?

Wrong!

Today I have been keeping a tally of spam emails which have been missed by Plusnet, Thunderbird or both. Here are the scores:

Missed by Plusnet (identified as junk by TB): 19

Missed by Thunderbird (tagged as SPAM by PN): 8

Missed by both: 2

I have had no false positives today from either.


Title: Re: Training spam filter - any point?
Post by: godsell4 on November 16, 2007, 06:59:20 am

Seeing something odd, is it just me ?

The mailboxes known to be compromised some months ago, the number of messages tagged as [-SPAM-] and put into my Inbox.Spam folder is greatly reduced. Either this is [a] a real thing and I am just less targeted by Spammers, a real thing and more message are being rejected outright for delivery or [c] a quirk of the script used to delete messages older than 21 days in the inbox.spam folder.

Thoughts ?

SW.


Title: Re: Training spam filter - any point?
Post by: NB on November 16, 2007, 08:48:09 am

Seeing something odd, is it just me ?

The mailboxes known to be compromised some months ago, the number of messages tagged as [-SPAM-] and put into my Inbox.Spam folder is greatly reduced. Either this is [a] a real thing and I am just less targeted by Spammers, a real thing and more message are being rejected outright for delivery or [c] a quirk of the script used to delete messages older than 21 days in the inbox.spam folder.

Thoughts ?

SW.

[a] My work addy was also compromised and has also had less spam this week.  Mail to it doesn't go anywhere near plusnets mail system so that would have nothing to do with the volume.


Title: Re: Training spam filter - any point?
Post by: mikeb on November 16, 2007, 10:22:01 am
Re: lack of spam to compromised addresses:

Yup that's very much the case. The volume of spam to all my compromised addresses has been minimal for a while now - look at the black lines (several individual compromised addresses) and the red line (total targeted spam to compromised addresses) on the spam charts various above and bear in mind there is no optional filtering being used.  The interesting thing is that some addresses get a few but others now don't get any and at no time have I ever had random spam as a result of the compromised addresses.  It has always been just to the specific compromised addresses. My main address which was getting a 100 or so at one point now gets only 1 or 2 a week but more often than not, none at all.  Not that I'm in any way complaining about that mind you !

It's very strange that the distribution across the various A/Cs and addresses suddenly became so wildly different after the first 3 months or thereabouts.  My F9 A/C did and still does get significantly and consistently more than my PN A/C despite the fact that both sets of addresses were compromised at the same time by the same people in the webmail incident.  In fact, the lack of spam to my main A/C and to my main address in particular is the primary reason that I'm closely monitoring what's going on and making a point of looking out for possible lost genuine messages. I'm obviously more than happy about the lack of spam ... but only if the reduced amount of genuine mail is because no one loves me any more rather than because it's getting mysteriously dumped somewhere en-route !


Title: Re: Training spam filter - any point?
Post by: mikeb on November 18, 2007, 01:18:23 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam20.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

No surprise that the volume is on the up again but it's not as bad as I was expecting earlier in the week.  As a result of the criticalpath boxes being introduced during the current trial, 317 spam messages out of the total 605 spam messages had the new "suspected spam" header added - that's around 52%.  Apart from the small number of un-tagged spam messages from the criticalpath boxes, all spam is now being received via mx-last.

On the negative side, three 100% genuine messages from different senders have been tagged by criticalpath for no apparent reason whatsoever.  Refer to this thread (http://usergroup.plus.net/forum/index.php/topic,5002.msg70183.html#msg70183) for details. I can still see no apparent reason why messages from any of these senders are being tagged.  In addition I have spotted 21 obvious 100% spam messages received via the criticalpath boxes that were NOT tagged as 'suspected spam' this week.  I still have more than a sneaky suspicion that these may be down to DNS platform issues (such as timeouts) especially because near-identical spam messages received around the same time were tagged as such.



Title: Re: Training spam filter - any point?
Post by: mikeb on November 25, 2007, 01:02:29 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam21.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

No surprise that the volume is very much on an upward trend again as humbug season approaches :roll: Anyways, on the plus side, what it does mean is that everyone's now getting a firmer and longer lasting Wolex and some shiny new pills for their bling-bling this year so I'm all sorted and can relax with something chilled from the fridge while all the lesser mortals are still out looking for stuff :-P

On the criticalpath front, 387 spam messages out of the total 848 spam messages had the new "suspected spam" header added - that's around 46%.  Apart from the small number of un-tagged spam messages from the criticalpath boxes, all spam is now being received via mx-last.

On the negative side, three 100% genuine messages from 3 different senders have been tagged by criticalpath for no apparent reason whatsoever. Refer to this thread (http://usergroup.plus.net/forum/index.php/topic,5002.msg70183.html#msg70183) for details. I can still see no apparent reason why messages from any of these senders are being tagged but questions are apparently being asked in the house.

In addition I have spotted 26 obvious 100% spam messages received via the criticalpath boxes that were NOT tagged as 'suspected spam' this week.  I still have more than a sneaky suspicion that these may be down to DNS platform issues (such as timeouts) especially because near-identical spam messages received around the same time were tagged as such.

Generally speaking the criticalpath boxes are doing pretty d@mn well and if you ignore stuff that sneaked in via mx-last, the figures are quite impressive:

Total number of messages correctly identified as spam:   387 (93%)
Number of false positives (tagged genuine messages):   3 (0.72%)
Number of false negatives (untagged blatant spam):   26 (6.25%)

Now I guess that simply has to be one (or more likely several !) order(s) of magnitude better than ye olde PN spam filters even though I've never used them ... but there's still room for improvement here. Whilst the figures are more than a bit good and the 'errors' are a small %ge, they are somewhat embarrassing IMHO.  For most (if not all) of the untagged blatant spam, I seem to have several very similar (if not identical) messages that were tagged as such. Similarly, the tagged genuine messages are all 100% genuine from well-known senders and appear to be 100% error-free insofar as DNS and other obvious issues are concerned so there appears to be no good reason why they have been tagged at all. It does seem as though criticalpath has a general 'problem' with list-servers and mailing lists though as all the false positives fall into this category.  There is also a possible problem at the mo with missing/lost/rejected genuine mail and although this could well be nothing to do with criticalpath (or PN at all for that matter), I'm mighty suspicious that it is.

Obviously, these comments are all based on data from one single user out of 200K or thereabouts so it's hardly a representative sample but hopefully other users are seeing similar results. If what appears to be obvious criticalpath 'mistakes' can be fixed then I can see the success rate getting to just about the 100% level :)  But what is most important IMO is reducing the false positives to zero.  Any first-line filtering, particularly if it is mandatory, really must err on the side of letting occasional spam through rather than potentially dumping genuine mail. A small amount of chopped ham and pork getting through is no big deal but losing genuine mail most certainly is. 

It's in absolutely everyone's interest (apart from Mr.Spammer) to get this right and for it to be 100% reliable.  Whilst there is a significant risk of false positives, rather like with ye olde spam filtering, it's not something I can really make use of. But if criticalpath is seen to be reliably tagging a high %ge of spam (which it currently is) but with no false positives then even I would be tempted to seriously consider just dumping everything that it picks up without further checking or processing. 



Title: Re: Training spam filter - any point?
Post by: Penny on November 25, 2007, 10:14:15 am
It's in absolutely everyone's interest (apart from Mr.Spammer) to get this right and for it to be 100% reliable.

A very comprehensive overview, Mike :)  This systematic approach you take must be making it easier for PN to get things sorted.

Spam is presumably a headache for ISPs everywhere but it would be good if PN could get this 100% accurate (or as near as dammit).

Regards,

Penny.


Title: Re: Training spam filter - any point?
Post by: NB on November 25, 2007, 12:29:02 pm
The problem is spam is like virii, it's ever evolving and mutating.  I think there is no realisitic prospect of ever acheiving better than 96-97% correctly tagged spam.  And the more spam evolves the harder it is likely to get to maintain such levels without increasing numbers of false positives also.


Title: Re: Training spam filter - any point?
Post by: dontflag on November 25, 2007, 07:00:51 pm
Quote
I think there is no realisitic prospect of ever acheiving better than 96-97% correctly tagged spam.

I would be disappointed if my spam filter accuracy got that low.

For almost five years now I've been using POPFile to classify mail from about half a dozen accounts. My current statistics show 58 errors out of 9,942 messages processed which works out at 99.41% accuracy.


Title: Re: Training spam filter - any point?
Post by: NB on November 25, 2007, 09:50:04 pm
99% for one individuals mail is one thing 99% for a couple of hundred thousand users is something else.  The problem is one persons spam isn't all the same as an others.  Some may receive legit e-mils with similar content to what another might consider as spam so the ISP spam filters have to compromise a bit.

Consider people working in in the financial sector, they may receive loads of e-mails each day about stocks and shares to buy with prices in $ the content may be similar enough in many aspcts to spam e-mails to cause trouble for ISP spam filters set too restrictively.

IMO there will be a need for two levels of spam filtering, at ISP level of most of the easiest to spot spam common to all users, and on the individuals PC for the finer detailed spam filtering tuened to sift the remaining spam from their specific e-mails.


Title: Re: Training spam filter - any point?
Post by: jelv1 on November 27, 2007, 11:53:21 am
A quick heads up to anyone following this saga: Bob's posted over on the Community forums (http://community.plus.net/forum/index.php/topic,57801.msg471126.html#msg471126) that turning the Critical Path tagging on has been delayed. From what he's said it may not be this week.  :-(

Shame, as a noticeable amount of spam is getting through untagged has the X-MAA: Suspected Spam header.


Title: Re: Training spam filter - any point?
Post by: mikeb on November 27, 2007, 12:20:33 pm
The problem is spam is like virii, it's ever evolving and mutating.  I think there is no realisitic prospect of ever acheiving better than 96-97% correctly tagged spam.  And the more spam evolves the harder it is likely to get to maintain such levels without increasing numbers of false positives also.

Normally I would agree entirely as I'm pretty much convinced that whilst spam filtering on a per-user basis is (or at least can be) very accurate indeed, this is rarely (if ever) the case across a wide user base. One man's spam is another's Sunday roast and all that apart from anything else.  However, I suspect that no one is more surprised than me at the apparent accuracy of the criticalpath boxes so far in this trial and from what I can see, it could so easily be better.  Although there is only around a week's worth of data since all mx-cores started receiving mail via criticalpath so it's perhaps a bit early to get too excited, I think I would be prepared to put (a reasonable sum of) money on achieving a 99.X% success rate with no false positives based on what I've seen going on to date.  OK, the accuracy could suddenly decline dramatically if Mr.Spammer starts doing something very different but only time will tell just how well criticalpath keeps up with changes in style, content and sources etc. 

How long is the criticalpath trial intended to last ? I would hope for several months at least in order to allow a reasonable period of time for a sensible evaluation of performance.  It would also be really good to say the least if the trial were to be extended to include mx-last if at all possible to ensure that criticalpath sees the full spectrum of spam being received i.e. including all the stuff which is sent directly to mx-last.

As I said before though, my comments are based on data from one single user which is hardly a representative sample but for those of us who are suffering solely because of the webmail compromise, I would guess that most are probably seeing similar results. The success rate on spam to webmail compromised mboxes/addresses appears to be extremely good. However, the success rate on ye olde previously compromised A/C that has received buckloads of random spam for years is lower but still pretty good.  Mind you, I'm still very intrigued/concerned as to why my main address which was compromised for me is receiving next to no spam at all compared to all the other addresses compromised at the same time ... not that I'm in any way complaining about it !

Has anyone else got any data or gut feeling as to how criticalpath is performing on their A/Cs ? I was kinda expecting PN would be producing some sort of stats during the trial although TBH, they probably wouldn't mean very much in reality I suppose but data from individual users would be significantly more meaningful and believable.  Is no one else sad enough interested enough to spare a little time to keep an eye on how things are going ?


Re: criticalpath tagging - Jelv, can you not implement your own filter to direct any mail with the X-MAA header either to your spam folder or another dedicated folder for reviewing ?  It shouldn't be a particular problem to do in just about any old pop3 mail reader although I have no idea if it is possible to achieve if you're using webmail mind you.


Title: Re: Training spam filter - any point?
Post by: mikeb on December 02, 2007, 12:53:35 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam22.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

On the criticalpath front, 496 spam messages out of the total 804 spam messages had the new "suspected spam" header added - that's around 62%.  Apart from the small number of un-tagged spam messages from the criticalpath boxes, all spam is now being received via mx-last.

On the negative side, three 100% genuine messages from 3 different senders have been tagged by criticalpath for no apparent reason whatsoever. Refer to this thread (http://usergroup.plus.net/forum/index.php/topic,5002.msg70183.html#msg70183) for details. I can still see no apparent reason why messages from any of these senders are being tagged but questions are apparently being asked in the house ... although perhaps not loudly enough ;)

In addition I have spotted 18 obvious 100% spam messages received via the criticalpath boxes that were NOT tagged as "suspected spam" this week.  I still have more than a sneaky suspicion that these may be down to DNS platform issues (such as timeouts) especially because near-identical spam messages received around the same time were tagged as such.

Generally speaking the criticalpath boxes are still doing pretty d@mn well and if you ignore stuff that sneaked in via MX-last, the figures are quite impressive:

Total number of messages correctly identified as spam:   496 (95.9%)
Number of false positives (tagged genuine messages):   3 (0.6%)
Number of false negatives (untagged blatant spam):   18 (3.5%)

Hmmmm, there is a rumour that the trial may about to be concluded  :cry2: The very first good thing that's happened on the spam front and someone is apparently thinking of pulling the old plug ... What !!!

That 'someone' is clearly either a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/joker.gif) a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/pinochio.gif) or a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/witch.gif)
so let's hunt them down and burn them in any case I say  :-P

... wanders off to gather a suitable quantity of pointy sticks and form the customary lynch mob for such occasions.  It's been far too long since the last decent witch hunt so we're long overdue for another one I reckon !


Title: Re: Training spam filter - any point?
Post by: jelv1 on December 03, 2007, 09:23:23 pm

Hmmmm, there is a rumour that the trial may about to be concluded  :cry2: The very first good thing that's happened on the spam front and someone is apparently thinking of pulling the old plug ... What !!!

That 'someone' is clearly either a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/joker.gif) a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/pinochio.gif) or a (http://www.twowheels.force9.co.uk/STUFF/SMILIES/witch.gif)
so let's hunt them down and burn them in any case I say  :-P

Abandoning the promised tagging of spam emails identified by Criticalpath might be acceptable if it looked like Postine was going to happen fairly soon. However following the service status announcement and post here (http://community.plus.net/forum/index.php/topic,57643.msg472693.html#msg472693) that the tialists were going to be moved over this afternoon it looks like it must have all gone mammaries elevated because nobody is saying they've been moved over.

The ticket I raised to request inclusion on the trial is time stamped 4:23pm, Wednesday 21st November 2007. Seeing as the service status announcing the trial was at 16:06, and the blog and posting to the community forums was around the same time I reckon I should be one of the first in the queue.

What I find very annoying is that there has been no further service status or other posting to say what has happened. I've been geared up to check everything was OK immediately I saw I'd been moved over and it appears that yet again we have a Plusnet non-event. I really do wonder why I haven't moved my two hosted domains out because it's becoming pretty obvious that Plusnet do not have the ability to run an email system properly.


Title: Re: Training spam filter - any point?
Post by: mikeb on December 09, 2007, 01:07:45 am
Here is last weeks spam stats:

(http://www.twowheels.force9.co.uk/TEMP/spam23.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

On the criticalpath front, 492 spam messages out of the total 807 spam messages had the new "suspected spam" header added - that's around 61%.  On the negative side, I have spotted 20 obvious 100% spam messages received via the criticalpath boxes that were NOT tagged as "suspected spam" this week.  However, there were no incorrectly tagged 100% genuine messages this week so someone or something has 'fixed' the issue with messages from a variety of senders previously being tagged as "suspected spam".  Whilst there are no known lost/missing messages this week, I do have reasons to believe that the number of lost/missing messages over previous weeks is higher than was reported at the time.

Generally speaking the criticalpath boxes are still doing pretty d@mn well and if you ignore stuff that sneaked in via MX-last, the figures are quite impressive:

Total number of messages correctly identified as spam:   492 (96.1%)
Number of false positives (tagged genuine messages):   0 (0.0%)
Number of false negatives (untagged blatant spam):   20 (3.9%)
Number of suspected lost/missing messages:      0 (0.0%)



Title: Re: Training spam filter - any point?
Post by: jelv1 on December 09, 2007, 10:47:02 am
Based on what I'm seeing, I'm betting that when you get switched over to Postini the blue line will plummet to well below 200 - i.e. the lowest since spam day.

I'm not sure how much worth there is in you continuing to expend effort monitoring the Criticalpath performance given that Plusnet have indicated that it is pretty certain that is not the way things are going to go.


Title: Re: Training spam filter - any point?
Post by: mikeb on December 10, 2007, 12:35:34 am
You are no doubt correct about wasting my effort monitoring spam. I doubt the stats are of significant interest to many and are quite possibly just a thorn in the side to some peeps but it is something I've been doing largely for own benefit/interest rather than especially for anyone else so monitoring will continue for the foreseeable future with as much detail or breakdown as is possible.  I have passed at least two of my 'milestones' so far and rightly or wrongly chosen to give PN the benefit of doubt that they will come up with a totally satisfactory and workable long-term 'solution' to their problem sometime soon rather than take my intended course action at these points.  With the benefit of a large bucket of hindsight that may not turn out to have been the smartest thing to have done ! but it was a calculated risk with an associated Plan B needless to say ;)  I fear you are perhaps right regarding criticalpath though.  The point is that in order to make rational and informed decisions, it is most important to have relevant data/evidence to support and/or justify those decisions IMHO.  A test-drive always reveals more than browsing the glossy brochure and all that !

However, regarding your 'predictions':

Quote
Postini are providing SLAs for 98% detection rate with 0.0003% false positive rate.

Now, I'm not going to insult your intelligence by replotting my graph using the assumption of a 98% detection rate but I will ask you why you think the results are likely to be SUBSTANTIALLY less than the SLA that is being bandied around and not to mention SUBSTANTIALLY less than that which is currently being achieved by criticalpath !  If the suggested SLA figures were being realistically achieved, all curves would appear around the lowest existing curve of course and I could expect to loose around one 100% genuine messages every 6 years or so. I think I could perhaps manage to live with that :-P just a bit of a pity that it's quite possibly all a bit pie-in-sky rather than a realistic proposition though isn't it ?


Title: Re: Training spam filter - any point?
Post by: mikeb on December 11, 2007, 12:16:21 pm
Just for the record, here is the PREDICTED spam stats for THIS week based on data pro-rata to that for the first 2 full days.  The criticalpath boxes were (or at least should have been) removed from the network early this morning.

(http://www.twowheels.force9.co.uk/TEMP/spam23a.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.

On the criticalpath front, 445 spam messages out of the total 743 spam messages had the new "suspected spam" header added - that's around 59%.  On the negative side, I have spotted 21 obvious 100% spam messages received via the criticalpath boxes that were NOT tagged as 'suspected spam' this week.  However, there were no incorrectly tagged 100% genuine messages.

Generally speaking the criticalpath boxes have continued to do pretty d@mn well and if you ignore stuff that sneaked in via MX-last, the figures are quite impressive:

Total number of messages correctly identified as spam:   445 (95.5%)
Number of false positives (tagged genuine messages):   0 (0.0%)
Number of false negatives (untagged blatant spam):   21 (4.5%)
Number of suspected lost/missing messages:      0 (0.0%)

So there you go - Mr.Criticalpath appears to consistently and reliably trap around 95% of spam received so over to you Mr.Postini sometime soon to see whether you can do exactly what you say on the tin ! In the meantime, Mikeb's Mickey Mouse Filtering INC will continue to keep all A/Cs spam free with a 100% detection rate and no false anythings to worry about ;)


Title: Re: Training spam filter - any point?
Post by: Oldjim on December 12, 2007, 07:29:36 pm
Still waiting for the Postini spam filter to kick in on my account but I just received this
Why is this not spam - there are enough triggers
Quote
From: "Andrew Serrano" <trippetypc735@mgerlach.com>
To: <***@***.plus.com>
Subject: StupendousCockDonnell
Date: Wed, 12 Dec 2007 19:49:26 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_000_0007_01C83CF8.19A72700"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
x-open-relay: 217.225.247.181 is in a black list at bl.spamcop.net
X-PN-VirusFiltered: by PlusNet MXCore (v4.00)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Wed Dec 12 19:21:17 2007
X-DSPAM-Confidence: 0.4836
X-DSPAM-Improbability: 1 in 95 chance of being spam
X-DSPAM-Probability: 0.0005
X-DSPAM-Factors: 27,
   Envelope-to*james, 0.00142,
   From*Serrano", 0.99000,
   1158", 0.96538,
   From*"Andrew, 0.06167,
   Received*ipconnect.de, 0.93475,
   Received*49, 0.08000,
   Received*james, 0.08330,
   Content-Type*2", 0.91138,
   Content-Type*2", 0.91138,
   Delivery-date*Dec, 0.10122,
   Date*Dec, 0.10482,
   Received*Dec, 0.10700,
   Received*Dec, 0.10700,
   com">http, 0.88522,
   Received*0100, 0.12164,
   To*<james, 0.13149,
   x-open-relay*in, 0.86713,
   x-open-relay*black, 0.86713,
   x-open-relay*at, 0.86713,
   x-open-relay*bl.spamcop.net, 0.86713,
   x-open-relay*list, 0.86713,
   x-open-relay*a, 0.86713,
   x-open-relay*is, 0.86713,
   X-MimeOLE*V6.00.2800.1158, 0.85886,
   X-PN-VirusFiltered*MXCore, 0.20412,
   X-PN-VirusFiltered*by, 0.20412,
   X-PN-VirusFiltered*PlusNet, 0.20412



Title: Re: Training spam filter - any point?
Post by: spraxyt on December 13, 2007, 01:44:38 am
Moderator's Note:

Replies from this topic exclusively related to Postini have been selectively split into the new topic Postini Implementation (http://usergroup.plus.net/forum/index.php/topic,5630.0.html). Posts relating to Postini should now be added there.


Title: Re: Training spam filter - any point?
Post by: mikeb on December 16, 2007, 01:10:14 am
Here is the spam stats for this week, generally as predicted earlier in the week and as expected, not significantly affected by the removal of the criticalpath boxes.

(http://www.twowheels.force9.co.uk/TEMP/spam24.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.



Title: Re: Training spam filter - any point?
Post by: jelv1 on December 21, 2007, 05:29:07 pm
To answer the question I posed in the first post of this topic: NO!

The results that DSPAM is giving now are so awful that I have just turned it of - I'm going to rely on Thunderbird's junk controls (with the added benefit that all spam identified as such gets moved to a single folder on my main mailbox for all the mailboxes - no more trawling through spam folders on multiple mailboxes). This will shortly be backed up by some rules to set the junk flag based on the Postini headers.


Title: Re: Training spam filter - any point?
Post by: mikeb on December 23, 2007, 12:48:42 am
Here is the spam stats for this week. I doubt it will come as a surprise to anyone to see that the graph has had to be rescaled due to the volume this week !  Never mind the turkey, no shortage of xmas spam to be had. yum.yum.yum.

(http://www.twowheels.force9.co.uk/TEMP/spam25.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.



Title: Re: Training spam filter - any point?
Post by: mikeb on December 30, 2007, 12:12:23 am
Here is the spam stats for this week and another rescale needed :( So lots and lots more spam for your viewing pleasure and the New Year sales haven't even started yet !

(http://www.twowheels.force9.co.uk/TEMP/spam26.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.



Title: Re: Training spam filter - any point?
Post by: mikeb on January 06, 2008, 12:38:35 am
Here is the spam stats for this week.  Spam targeted to webmail compromised addresses continues to rise ... must be all those shiny new Xmas PCs ripe for being taken over by Mr.Spam-Bot !

This could well be the last graph BTW as there is a malicious rumour that one of the A/Cs being monitored is most likely to get postinied next week.  This will make the existing graph look at bit strange to say the least due to the fact that data is gathered from more than 1 A/C and the curves tend to represent 'types' of spam rather than total spam per A/C. I might come up with a new graph or I might just take the opportunity throw in the towel but I'll wait and see what happens first to establish if it's really worth putting in any more effort.

Technically, of course, what it should mean is that the BLUE curve will immediately fall to around 2% of it's present level and the RED curve to around 40% although something tells me that only a fool would believe that prediction will come true :-P  So who's foolish brave enough to put their own money on the curve(s) indicating anything close to the 98% detection rate with 0.0003% false positives SLA ?  If it helps, there can be no false positives on the A/C likely to be changed over as it receives 100% spam so all that will be revealed is the detection rate on spam that is actually delivered rather than dumped/rejected on receipt. Should be interesting .....

(http://www.twowheels.force9.co.uk/TEMP/spam27.jpg)

As usual, black lines are targeted spam to several individual compromised addresses/mailboxes, red line is total targeted spam, blue line is random spam to one previously compromised old a/c, X axis is weeks since Spam Day (13th May). Note that I have PN dspam (or whatever) filtering disabled so only the 1st line mandatory filtering on receipt can potentially affect the amount of spam received.



Title: Re: Training spam filter - any point?
Post by: quaint1 on January 06, 2008, 09:02:49 am
Thanks, mikeb, for some very interesting stats over the past seven months or so.  :clap:

They have helped me to retain my sanity knowing that a) my own experiences were not alone and b) that someone is keeping an eye on the efforts by PN to 'contain' the problem.

Once again, many thanks and a happy & spam reduced new year.

Ian


Title: Re: Training spam filter - any point?
Post by: jelv1 on January 06, 2008, 10:26:17 am
I'm just getting myself organised to monitor counts on some compromised email addresses. ...

<snip>

Edit: Just realised I've put this in the wrong topic:

The post can be found here (http://usergroup.plus.net/forum/index.php/topic,5630.msg71938.html#msg71938)


Title: Re: Training spam filter - any point?
Post by: mikeb on January 20, 2008, 12:56:31 pm
Well, as sort of predicted no pretty graphs recently because it all unfortunately got more than a bit screwed up due to the postini changeover happening - or rather not quite happening and then not quite happening for a second time but slightly more happening than the first time ... or something like that anyway plus a few other miscellaneous issues for good measure :roll:

What I can say is that spam volume for 2 weeks ago (Week 35, ending 12th January) was generally pretty d@mn big and roughly following the trend indicated by previous weeks.  Spam volume for last week (Week 36, ending 19th January) generally showed a distinct drop, around a 50% drop in fact, particularly for spam targeted to webmail compromised addresses/mboxes and this was on ALL A/Cs so it wasn't directly related to postini activity on some addresses/mboxs. Presumably, all the shiny new spambots acquired over the Xmas period have now found their way onto RBLs various.

I'm still collecting lots of data and the postini data is particularly 'interesting' but as it's all somewhat misleading during the transition period, I'm not going to post anything just yet.  This coming week should be the first complete week without dubious PN problems resulting in dodgy data so expect shiny new go-faster graph(s) coming RSN and all that 8-)


Title: Re: Training spam filter - any point?
Post by: spraxyt on January 29, 2008, 02:58:55 pm
See thread Postini Performance Stats (Various) (http://usergroup.plus.net/forum/index.php/topic,5784.0.html) for the "shiny new go-faster graph(s)".

David