[sanesecurity] Re: False Positive

  • From: Bill Landry <bill@xxxxxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Fri, 30 Oct 2009 08:33:56 -0700

McDonald, Dan wrote:
> On Fri, 2009-10-30 at 11:40 +0000, Peter wrote:
>> I've got customers complaining of false positives on createsend1 _dot_ com
>>
>> Which matches INetMsg.SpamDomain-2m.createsend1_com
> 
> INetMsg.SpamDomain-2m are messages which showed up in a spamtrap more
> than two weeks ago but less than 2 months ago.  I score this fairly low.
> It certainly shouldn't be a poison pill.
> 
> For my system -2m is worth 2 points, and -2w is worth 3 points.
> 
> Not to say I don't catch a lot with it.  I had 13517 hits on
> INetMsg.SpamDomain-2w that resulted in SPAM, 42 that did not, and 6624
> hits on INetMsg.SpamDomain-2m that resulted in SPAM, and 23 that did
> not.

Dan, of the 42 and 23 that hit but did not result in spam, were they
FPs, or were they spam that did not score high enough to be classified
as spam?  Just curious...

Thanks,

Bill

Other related posts: