Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - False Positives - what to do
  FAQ FAQ  Forum Search   Register Register  Login Login

False Positives - what to do

 Post Reply Post Reply
Author
MBor View Drop Down
Newbie
Newbie
Avatar

Joined: 19 January 2010
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote MBor Quote  Post ReplyReply Direct Link To This Post Topic: False Positives - what to do
    Posted: 03 February 2010 at 11:34am

Hello Forum

I have started another thread: Upgrading from 3.x to 4.x for better stability but one subject from that discussion is better suited to be in a new thread. 
 
We have increased difficulties to get our SpamFilter (3.5.4.692) to work right.  More and more we find that "This email is rejected. It contains keywords rejected by the antispam content filter". 

 

I believe we get more and more false positives.  Today I tracked an e-mail through SpamFilter and (an edited version of) the logfile reveals what happens.

 

02-03-10 15:54 -- (2684) Mail from: ZZ@somecompany.dk

02-03-10 15:54 -- (2684) - MAPS search done...

02-03-10 15:54 -- (2684) RCPT TO: AA@othercompany.dk accepted

02-03-10 15:54 -- (2684) Scanning PDF for spam:daglig_forward.pdf

02-03-10 15:54 -- (2684) Detected spam signature in attached PDF

02-03-10 15:54 -- (2684) Starting quarantine procedures

02-03-10 15:54 -- (2684) Created thread (3908) to add email to quarantine

02-03-10 15:54 -- (2684) Blacklist cache - Added 1xx.1xx.xxx.xxx to limbo

02-03-10 15:54 -- (2684) SFDB - Added 1xx.1xx.xxx.xxx - Response: Error=0

02-03-10 15:54 -- (2684) Disconnect

 

The attached document is not spam.  The sender ZZ can e-mail this attachment to all but our customer AA (which we host in our mail hotel). Further more the senders IP is added to SFDB and therefore blocked for 24 hours.  I asked ZZ to send an e-mail without attachment to AA and of course this came back to ZZ with an error.  Unfortunately I cannot get the "X-Rejection-Reason" from the header. 

 

Now that I have had time to look into SFDB I can see that our threshold was set to 3.  I have now increased it to 20.  At the same time i have marked the "Do not quarantine" checkbox and therefore I hope I can get less rejection.

 

The question is: is this a stupid setting?

 

Kind Regards

 

Mads Borik
Datamatiker
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2010 at 11:25pm
Mads,

We received your logs and replied to the other thread you mentioned. The solution for the crash mentioned there involves disabling the filter that scans thru PDF files. Newer versions of SpamFilter in fact do not employ this filter anymore due to its unreliability. Please see the other thread as to how to disable it in the older v3.x.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
MBor View Drop Down
Newbie
Newbie
Avatar

Joined: 19 January 2010
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote MBor Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2010 at 5:43am

Hello Roberto

 

I have positive feedback from our customers. E-mail with attached PDF documents no longer gets filtered by "keywords".

 

SpamPDFMaxPagesToScan=0 made the difference

 
Should I change back the settings I made before changing the SpamFilter.ini?

 

I experimented with:

1) Increased the SFDB Network Reliability threshold from 3 to 20

2) At the same time I have marked the "Do not quarantine" checkbox

3) In the Custom domain Filter tab, I have unchecked the "Attachments" for all mail domains

- should I re-enable checking attachments or is that overridden by the (above) SpamFilter.ini settings?

 

Kind regards

Mads Borik
Datamatiker
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2010 at 10:18am
Mads,

I would recommend bringing back the SFDB value down to 3, and unchecking the "Do not quarantine" box as to continue having messages quarantined rather than simply being rejected. In regards to the "Attachments", I'm not sure of what setting you had for the attachment rejection, so I'm unsure on what to recommend there, as it is going to be specific to the kind of spam you were experiencing.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
MBor View Drop Down
Newbie
Newbie
Avatar

Joined: 19 January 2010
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote MBor Quote  Post ReplyReply Direct Link To This Post Posted: 07 February 2010 at 4:37am
Thank you Roberto
 
I will monitor the spam situation after this change.
 
Kind Regards
Mads Borik
Datamatiker
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.047 seconds.