Print Page | Close Window

False Positives - what to do

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6797
Printed Date: 20 October 2017 at 3:12am


Topic: False Positives - what to do
Posted By: MBor
Subject: False Positives - what to do
Date Posted: 03 February 2010 at 11:34am

Hello Forum

I have started another thread: Upgrading from 3.x to 4.x for better stability but one subject from that discussion is better suited to be in a new thread. 
 
We have increased difficulties to get our SpamFilter (3.5.4.692) to work right.  More and more we find that "This email is rejected. It contains keywords rejected by the antispam content filter". 

 

I believe we get more and more false positives.  Today I tracked an e-mail through SpamFilter and (an edited version of) the logfile reveals what happens.

 

02-03-10 15:54 -- (2684) Mail from: mailto:ZZ@somecompany.dk - ZZ@somecompany.dk

02-03-10 15:54 -- (2684) - MAPS search done...

02-03-10 15:54 -- (2684) RCPT TO: mailto:AA@othercompany.dk - AA@othercompany.dk accepted

02-03-10 15:54 -- (2684) Scanning PDF for spam:daglig_forward.pdf

02-03-10 15:54 -- (2684) Detected spam signature in attached PDF

02-03-10 15:54 -- (2684) Starting quarantine procedures

02-03-10 15:54 -- (2684) Created thread (3908) to add email to quarantine

02-03-10 15:54 -- (2684) Blacklist cache - Added 1xx.1xx.xxx.xxx to limbo

02-03-10 15:54 -- (2684) SFDB - Added 1xx.1xx.xxx.xxx - Response: Error=0

02-03-10 15:54 -- (2684) Disconnect

 

The attached document is not spam.  The sender ZZ can e-mail this attachment to all but our customer AA (which we host in our mail hotel). Further more the senders IP is added to SFDB and therefore blocked for 24 hours.  I asked ZZ to send an e-mail without attachment to AA and of course this came back to ZZ with an error.  Unfortunately I cannot get the "X-Rejection-Reason" from the header. 

 

Now that I have had time to look into SFDB I can see that our threshold was set to 3.  I have now increased it to 20.  At the same time i have marked the "Do not quarantine" checkbox and therefore I hope I can get less rejection.

 

The question is: is this a stupid setting?

 

Kind Regards

 



-------------
Mads Borik
Datamatiker



Replies:
Posted By: LogSat
Date Posted: 03 February 2010 at 11:25pm
Mads,

We received your logs and replied to the other thread you mentioned. The solution for the crash mentioned there involves disabling the filter that scans thru PDF files. Newer versions of SpamFilter in fact do not employ this filter anymore due to its unreliability. Please see the other thread as to how to disable it in the older v3.x.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: MBor
Date Posted: 04 February 2010 at 5:43am

Hello Roberto

 

I have positive feedback from our customers. E-mail with attached PDF documents no longer gets filtered by "keywords".

 

SpamPDFMaxPagesToScan=0 made the difference

 
Should I change back the settings I made before changing the SpamFilter.ini?

 

I experimented with:

1) Increased the SFDB Network Reliability threshold from 3 to 20

2) At the same time I have marked the "Do not quarantine" checkbox

3) In the Custom domain Filter tab, I have unchecked the "Attachments" for all mail domains

- should I re-enable checking attachments or is that overridden by the (above) SpamFilter.ini settings?

 

Kind regards



-------------
Mads Borik
Datamatiker


Posted By: LogSat
Date Posted: 06 February 2010 at 10:18am
Mads,

I would recommend bringing back the SFDB value down to 3, and unchecking the "Do not quarantine" box as to continue having messages quarantined rather than simply being rejected. In regards to the "Attachments", I'm not sure of what setting you had for the attachment rejection, so I'm unsure on what to recommend there, as it is going to be specific to the kind of spam you were experiencing.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: MBor
Date Posted: 07 February 2010 at 4:37am
Thank you Roberto
 
I will monitor the spam situation after this change.
 
Kind Regards


-------------
Mads Borik
Datamatiker



Print Page | Close Window