How to report dspam false positives?

T

tetranz

Perch
Hi

I've persuaded my client to try dspam again. Previously we were sending spam to another mailbox and that caused a lot of problems. Now we're only tagging the subject to see how well it works.

As I understand it, if we send you wrongly tagged messages, you can feed this into dspam to help train it. Could someone from JodoHost please clarify how you want examples of wrong spam tagging reported. I think the answer is to raise a ticket. That's fine but:

1) Firstly, is it still worth doing this?

2) Do you want both false positives and negatives?

3) Do you want messages sent as an attachment to the ticket?

4) Do you want the final message as the user receives it containing the original as an attachment or do you just want the original?

5) I don't want to overload you with these so how many do you realistically want? I could probably send 20 or 30 per day.

My users are using Outlook which unfortunately, in its default mode, forwards inline rather than as an attachment. A few users have their pop settings to leave on server for a few days so I've asked them to forward wrongly tagged mail to another mailbox which I will check daily and then go to their mailbox and dig out the original message. I can't really think of an easier way. I can get it as a .eml file with Dwmail and forward that as an attachment to a ticket. How does that sound?

Cheers
Ross
 
We need the dspam ID, it is part of the headers, we need them optimially within 36 hours of the mail coming in, and we need to know if it is false positive, or false negative.

In reality you wont need to send 20-30 per day once you send the first batch it will know and reduce, you can send via ticket system.
 
Thanks Stephen but the messages don't seem to have anything called dspam id or similar. I'm looking at one now and I can see (values removed)

X-DSPAM-Result:
X-DSPAM-Processed:
X-DSPAM-Confidence:
X-DSPAM-Probability:
X-DSPAM-Signature:
X-DSPAM-Factors:

but that's all for DSPAM.

Do you mean the Message-ID?

Ross
 
Just tried this and support requested the entire email to train dspam... of course by that time I deleted them... oh well.
 
In the light of Penhall's experience, could someone from JodoHost please clarify this asap. I'm getting into this now and prefer to do it right the first time.

If you really need the whole message then my questions 3) and 4) become relevant.

Cheers
Ross
 
There is a legit reason for asking for the whole message, eventhough it is not really needed, what we do nee dto insure authenticity is the entire headers, body not exactly required.

There is some concern that just getting signature from tickets could lead to some spam being put as legit by some.....for bad reasons. (not saying clients would do that, but certainly some resellers sub client that did not really sign up using legit means and was not screened could send some spam, train it, and make it corrupt the corpus)

so basically, we need the full headers to know now and ensure the quality of the training.
 
Ok thanks Stephen.

So is this the correct procedure?

If its a false positive, I'll dig out the original message (i.e, the attachment), save it as a text file and then send it as an attachment to a support ticket. Do you have a preference for the file name or extension? I was intending to use .eml but is .txt better? With .txt you can safely open in notepad with a double click. .eml will likely open Outlook or Outlook Express which you may not want.

Same if its a false negative but no attachment dig out. I'll be sure to make it clear in the ticket which it is.

Ross
 
ok, header really ALL we need but if you don't mind giving full it helps. I can understand you dont want spam, and we invested a lot to stpo it so training it well to adapting techniques is importnat.
 
Ok, I'm finally getting into this more seriously.

I finding that lots of message don't have X-DSPAM-Signature. Is that an indication of a problem that I should raise a ticket about? I'm going to be sending the whole message but will it be useful without X-DSPAM-Signature?

I know they've been processed by dspam because these headers are present.

X-DSPAM-Result:
X-DSPAM-Processed:
X-DSPAM-Confidence:
X-DSPAM-Probability:

Ross
 
Two things:

1) I'm getting reports from many customers of lots of false positives. I've reset a lot of their HSphere spam settings to rather weak settings just to get messages showing up in their inboxes again. Blocking spam is good, but my current feeling is dspam is being too agressive.

2) I submitted a couple false positives via tickets, after which I got this note:

Please don't Post this - Stephen
Click to expand...

Tim
 
tim,

We don't need everyone knowing that address, it can cause some major problems. We will give it in ticket to those that regularly need to report such.
 
Personally I have been just been forwarding false positives to the support email address... that way they have the complete email for training... easier than cutting/pasting headers etc into a ticket.

Not sure if thats the ideal way support wants it but they haven't complained.
 
Not a problem.

I just wanted others to know as well, Tanmaya did a big training session on dspam today.
 
Sorry to keep on (and on) about this but I still don't have a clear answer as to the preferred way to submit false positives and false negatives.

I know this:
Do it via report tickets. Do it within 24 hours but sooner the better.

I don't know:
Should I send just the original message, i.e, should I dig out the attachment and send only that and not the enclosing "cover note" generated by (I assume) Spamassassin?

Although not confirmed, I assume that you want it as an attachment to a support ticket. What is the preferred file name extension? .eml or .txt seem to be the obvious choices.

When I create a new support ticket in Cerberus, I can only attach two files but if I reply via email to an existing ticket then I can obviously attach many more. Is it okay to reply with more than two attachments?

Maybe these things don't really matter but I can imagine this whole thing is a bit of a tedious pain for JodoHost as well as for users and resellers so things are more likely to go smoothly with less wasted time and effort if we can all be on the same page.

Ross
 
I would prefer:
1. Full message as much as possible.
2. .txt or .eml format for messages.

Also, we are fine with more than 2 attachments.
 
Do we need to report spam that is not being marked? I have 1 account that has 1 email address (out of 8 or so) that is getting about 50 or so spam messages per day. The account uses DSPAM, and they are obvious spam (porn, etc). None of the other accounts receive them.

None of them are tagged spam.
 
Yes of course report spam not marked, we want it to be accurate and catch as much as possible :)
 
tanmaya said:
I would prefer:
1. Full message as much as possible.
2. .txt or .eml format for messages.

Also, we are fine with more than 2 attachments.
Click to expand...

And by "Full message" do you mean just the original message, not the Spamassassin generated message with the original as an attachment?
 
You must log in or register to reply here.
Back
Top