Re: [Asrg] Adding a spam button to MUAs

"Chris Lewis" <clewis@nortel.com> Thu, 28 January 2010 23:13 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 150613A68FF for <asrg@core3.amsl.com>; Thu, 28 Jan 2010 15:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.843
X-Spam-Level:
X-Spam-Status: No, score=-5.843 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M75toq89NbR9 for <asrg@core3.amsl.com>; Thu, 28 Jan 2010 15:13:29 -0800 (PST)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 795233A6829 for <asrg@irtf.org>; Thu, 28 Jan 2010 15:13:29 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id o0SNDiS01893 for <asrg@irtf.org>; Thu, 28 Jan 2010 23:13:44 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 28 Jan 2010 18:13:43 -0500
Received: from [47.130.80.126] (47.130.80.126) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 28 Jan 2010 18:13:43 -0500
Message-ID: <4B621A26.5090601@nortel.com>
Date: Thu, 28 Jan 2010 18:13:42 -0500
From: Chris Lewis <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20100128173112.85215.qmail@simone.iecc.com> <4B61CC2F.404@mtcc.com> <4B61DBF8.60006@mail-abuse.org> <387E2502-61E5-4811-B4EB-36AE47ADC648@blighty.com> <4B61E21B.7010509@mtcc.com>
In-Reply-To: <4B61E21B.7010509@mtcc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 28 Jan 2010 23:13:43.0953 (UTC) FILETIME=[8957D810:01CAA06F]
Subject: Re: [Asrg] Adding a spam button to MUAs
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 23:13:31 -0000

Michael Thomas wrote:

> I'm trying to figure out whether your post is responsive to my point or not.

I think he was agreeing with you.  I agree with both of you, even if he
wasn't exactly responsive to yours.

Frankly, I think the vast majority of people who thing TiS are bad are
either people who have an incentive to consider them bad, or are largely 
unaware of how they're actually used, or are expecting some sort of 
one-to-one reaction/theoretical purity to every TiS hit.

Score 'em statistically.  Whitelist when they goof.  Humans make 
mistakes.  And sometimes they're right when the filters aren't.  Design 
for it, including methods to intervene when necessary.  No big deal.

Humans evaluate every TiS hit?  That's nuts.  Even in our environment 
(corporate).

It may or may not be a significant part of your filtering arsenal.  With 
us it isn't anymore.  It used to be.  But catches some of the more 
extreme unusual things.

Sure, I have to explain sometimes that TiS'ing three copies of a bot 
spam doesn't necessarily prevent the fourth.  A week ago I had to 
explain why we blocked one of our biggest customers momentarily (looks 
like someone was trying to C&P a bunch of emails into another mailbox, 
and hit the wrong button.  So I selected all the blocked mail and 
forwarded it a few hours later.).  It's no big deal.  Doesn't happen 
often enough to agonize over.  Laugh resignedly.  Make a joke or two. 
Move on.  I've even trained my managers to do it on my behalf.

And occasionally the TiS feedback loop saves your ass.

Our system is set up that it's better to intercept a few good emails, 
than let something nasty thru.  The blocked emails can be forwarded as 
if nothing happened.  The dangerous ones that got thru can't be recalled.