cancel
Showing results for 
Search instead for 
Did you mean: 

Please post evidence of postini false positives here

mikeb
Grafter
Posts: 367
Registered: 10-06-2007

Please post evidence of postini false positives here

I've started this thread to collect further evidence of false positives arriving via the postini service.  Just in case anyone doesn't understand exactly what that means, a false positive is a 100% genuine message that has been classified by postini as being spam for one reason or another.
PN advised a while ago that postini have guaranteed them a 98% spam detection rate with 0.0003% false positives. To put that 0.0003% figure into context, if you receive 1000 messages a week in total, you should only expect to see one single false positive over a period in excess of 6 years.  I've been seeing them daily if not hourly or even worse in some cases !  OK, so some of that is down to a known problem affecting messages from PN but there are messages from several other senders being considered as spam as well.
This could affect all users in one of two ways:
Firstly, if postini incorrectly thinks a genuine message is particularly bad spam then affected messages may not be delivered to you at all. They will be lost.  However, they should be rejected by postini and the sender should get either a bounce (non-delivery advice email) or a #571 error whilst trying to send the message direct to postini.
Secondly, if postini incorrectly thinks a genuine message is spam but not that bad then the affected message will be delivered.  In these cases, the only way at present to identify this error is to check the message headers to see whether postini has considered the message as spam or genuine.  There are 2 headers of interest but the most obvious one is:
X-pn-pstn: spam2
Any message containing this header has been considered as being spam. The slightly less obvious postini header that can also be checked looks something like this:
X-pstn-levels: (S: X.XXXXX/94.26347 R:95.9108  ..... C:98.6951 )
If the first number (X.XXXXX) is <0.3000 then the message has been considered as spam.  Everything else in the header is not that relevant for this exercise and can be ignored.
The object of the exercise is to find as many DIFFERENT genuine messages as possible that have been incorrectly considered as spam in order to establish how wide-spread this problem is and to provide evidence that there is some fundamental issue with postini and it needs fixing before customers start potentially losing mail.
If you know that someone has tried to send you genuine mail and they have had it rejected then try to get hold of the non-delivery advice or some other evidence from them and post the details here.  Other than that, please have a regular quick look through the genuine messages you do receive to see if the "spam 2" header exists or the spam score is <0.3 as detailed above. If you know how to then you could set up a filter in your mail program to automatically identify messages containing the "spam 2" header but it will depend on what program you're using so it's not possible to offer general instructions. If you find a false positive at any time then please post the message headers here.  DO make sure you remove your own personal e-mail address from the headers before posting them so there is no useful data that could possibly be stolen and used to send you more spam.
There is a small collection of some of my false positives in the next post to start off with and you can see what the full message headers look like and what is required as evidence.
Just a few slight warnings though. Please do be sensible and only post ONE typical false positive if you have several from one particular sender. Please also note that the subject line being tagged "-SPAM-" is completely irrelevant here.  The problem with dspam adding "-SPAM-" to the subject line of a genuine message is NOT what is being investigated.  It is only evidence of 100% genuine messages with the "spam 2" header and a spam score <0.3 that is required.
Many thanks and hopefully this will help demonstrate the scale of the problem and result in it getting fixed before it gets out of hand.
PS: Perhaps PN would like to comment on each example that turns up advising why the message received such a poor score and was classified as spam when it quite clearly wasn't.
331 REPLIES
mikeb
Grafter
Posts: 367
Registered: 10-06-2007

Re: Please post evidence of postini false postives here

Here are several different examples of 100% genuine, 100% required and 100% by definition not spam messages that are being incorrectly classified by postini due to what I believe are fundamental flaws in their system.  There is absolutely no evidence of a real problem in any of them that I can see that could possibly lead any competent person or organisation to classify them as spam.  In some instances I also suspect that I have lost mail from these (and other) senders but cannot obtain an nda or similar to justify that. I just know that mail was not received via postini but it was received by another non-postini A/C.
Quote
Envelope-to: pnforum@My_Postinied_PN_Account.plus.com
Delivery-date: Wed, 26 Dec 2007 23:07:40 +0000
Received: from exprod5mx207.postini.com ([64.18.0.66] helo=psmtp.com)
  by pih-sunmxcore09.plus.net with smtp (PlusNet MXCore v2.00) id 1J7fLf-0006Js-Uk
  for pnforum@My_Postinied_PN_Account.plus.com; Wed, 26 Dec 2007 23:07:40 +0000
Received: from source ([212.159.14.213]) (using TLSv1) by exprod5mx207.postini.com ([64.18.4.10]) with SMTP;
Wed, 26 Dec 2007 15:07:37 PST
Received: from [192.168.101.40] (helo=pih-community01.plus.net)
by ptb-relay02.plus.net with esmtp (Exim) id 1J7fLc-0002QF-NR
for pnforum@My_Postinied_PN_Account.plus.com; Wed, 26 Dec 2007 23:07:36 +0000
Received: from www-data by pih-community01.plus.net with local (Exim 4.63)
(envelope-from <www-data@pih-community01.plus.net>)
id 1J7fLc-00066J-KL
for pnforum@My_Postinied_PN_Account.plus.com; Wed, 26 Dec 2007 23:07:36 +0000
To: pnforum@My_Postinied_PN_Account.plus.com
Subject: Topic reply: When will Plusnet tell people that they are behind a [proxy]?
From: "Forum" <community@plus.net>
Date: Wed, 26 Dec 2007 23:07:36 -0000
Message-ID: <1c505b50f9ca0319b3ff5234b2508c89-m478682@plus.net>
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-d550b143ea29cda92501b5b283d90d29"
Content-Transfer-Encoding: 7bit
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.01053/97.07735 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <community@plus.net> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Wed, 26 Dec 2007 23:45:34 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: pug@My_Postinied_PN_Account.plus.com
Delivery-date: Fri, 28 Dec 2007 12:31:19 +0000
Received: from exprod5mx231.postini.com ([64.18.0.117] helo=psmtp.com)
  by pih-sunmxcore09.plus.net with smtp (PlusNet MXCore v2.00) id 1J8EMw-0006Ok-A1
  for pug@My_Postinied_PN_Account.plus.com; Fri, 28 Dec 2007 12:31:18 +0000
Received: from source ([212.159.3.14]) (using TLSv1) by exprod5mx231.postini.com ([64.18.4.11]) with SMTP;
Fri, 28 Dec 2007 04:31:15 PST
Received: from www-data by usertools.plus.net with local (Exim 4.44)
id 1J8EO3-0007Lq-1s
for pug@My_Postinied_PN_Account.plus.com; Fri, 28 Dec 2007 12:32:27 +0000
To: pug@My_Postinied_PN_Account.plus.com
Subject: Topic reply: No Spam !
From: "PlusNet Usergroup" <forums@usergroup.plus.com>
Date: Fri, 28 Dec 2007 12:32:27 -0000
Message-ID: <f1959b54624d41da90a871f2272c4947-m71662@usergroup.plus.com>
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-2cac245d2c8d90e8e03005e32ee3c7b9"
Content-Transfer-Encoding: 7bit
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.21878/99.29248 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <forums@usergroup.plus.com> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Fri, 28 Dec 2007 23:13:05 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: tandm@My_Postinied_PN_Account.plus.com
Delivery-date: Wed, 02 Jan 2008 10:49:35 +0000
Received: from exprod5mx218.postini.com ([64.18.0.77] helo=psmtp.com)
  by pih-sunmxcore10.plus.net with smtp (PlusNet MXCore v2.00) id 1JA1AD-0005Uw-MS
  for tandm@My_Postinied_PN_Account.plus.com; Wed, 02 Jan 2008 10:49:34 +0000
Received: from source ([195.140.185.238]) by exprod5mx218.postini.com ([64.18.4.10]) with SMTP;
Wed, 02 Jan 2008 03:49:31 MST
Received: from app21.muc.ec-messenger.com (app21.muc.ec-messenger.com [172.16.8.51])
by aps78.muc.ec-messenger.com (READY) with ESMTP id 67243531DDA
for <tandm@My_Postinied_PN_Account.plus.com>; Wed,  2 Jan 2008 11:48:24 +0100 (CET)
Date: Wed, 2 Jan 2008 11:48:24 +0100 (CET)
From: Thompson & Morgan <tm-newsletter@thompson-morgan.com>
Reply-To: Thompson & Morgan <ccare@thompson-morgan.com>
To: tandm@My_Postinied_PN_Account.plus.com
Message-ID: <8598919.1199270904415.ecMessenger@newsletter.thompson-morgan.com>
Subject: Your 2008 T & M catalogues are on their way
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-eC-messenger-mid: 400119673
X-eC-messenger-cid: 527
X-eC-messenger-sender-domain: bounce.newsletter.thompson-morgan.com
X-eC-messenger-email: tandm@My_Postinied_PN_Account.plus.com
X-pstn-neptune: 16/11/0.69/51
X-pstn-levels: (S: 0.10448/98.95600 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <tm-newsletter@thompson-morgan.com> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Wed, 02 Jan 2008 22:59:07 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: novatech@My_Postinied_PN_Account.plus.com
Delivery-date: Sat, 05 Jan 2008 01:03:41 +0000
Received: from exprod5mx233.postini.com ([64.18.0.119] helo=psmtp.com)
  by pih-sunmxcore10.plus.net with smtp (PlusNet MXCore v2.00) id 1JAxRr-0004n0-Nf
  for novatech@My_Postinied_PN_Account.plus.com; Sat, 05 Jan 2008 01:03:40 +0000
Received: from source ([212.87.86.80]) by exprod5mx233.postini.com ([64.18.4.11]) with SMTP;
Fri, 04 Jan 2008 17:03:06 PST
From: "Novatech" <ewmail@novatech.co.uk>
To: novatech@My_Postinied_PN_Account.plus.com
Subject: Novatech Newsletter - New Limited Stock Laptops!
Date: Fri, 04 Jan 2008 23:59:00 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIMEBoundary4e4262942dd4221e37805728bc77d0f0"
List-Unsubscribe: <mailto:leave-128421-257807.00ddc0663d654f91c2a8b7b6e8c3af58@listserve.novatech.co.uk>
List-Subscribe: <mailto:subscribe-eweekly@listserve.novatech.co.uk>
List-Owner: <mailtoShockedwner-eweekly@listserve.novatech.co.uk>
X-List-Host: Main site
Sender: bounce-128421-257807@listserve.novatech.co.uk
Message-Id: <LYRIS-257807-128421-2008.01.05-00.00.01--novatech#My_Postinied_PN_Account.plus.com@listserve.novatech.co.uk>
X-pstn-neptune: 8/1/0.12/32
X-pstn-levels: (S: 0.25630/99.35421 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <ewmail@novatech.co.uk> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Sat, 05 Jan 2008 01:36:19 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: liteonforum@My_Postinied_PN_Account.plus.com
Delivery-date: Mon, 07 Jan 2008 21:37:57 +0000
Received: from exprod5mx201.postini.com ([64.18.0.60] helo=psmtp.com)
  by pih-sunmxcore19.plus.net with smtp (PlusNet MXCore v2.00) id 1JBzfQ-00015N-FF
  for liteonforum@My_Postinied_PN_Account.plus.com; Mon, 07 Jan 2008 21:37:57 +0000
Received: from source ([195.166.130.41]) (using TLSv1) by exprod5mx201.postini.com ([64.18.4.11]) with SMTP;
Mon, 07 Jan 2008 16:37:44 EST
Received: from [212.159.7.155] (port=43695 helo=ccgi03.plus.net)
by ptb-cgirelay02.plus.net with esmtp (Exim 4.50)
id 1JBzfD-0001Pj-NN
for liteonforum@My_Postinied_PN_Account.plus.com; Mon, 07 Jan 2008 21:37:43 +0000
Received: from mgillespie by ccgi03.plus.net with local (Exim 4.50)
id 1JBzfC-0002BZ-CO
for liteonforum@My_Postinied_PN_Account.plus.com; Mon, 07 Jan 2008 21:37:42 +0000
To: liteonforum@My_Postinied_PN_Account.plus.com
Subject: Topic reply: HDD in LiteON 5045
From: "Digital Video Forum" <mark@digitalvideoforum.net>
Date: Mon, 07 Jan 2008 21:37:42 -0000
Message-ID: <eb57fb4b17d4213e94f071d6f6f7c47f-m51199@digitalvideoforum.net>
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-2ff324673a094dd3249a5519774d010d"
Content-Transfer-Encoding: 7bit
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.14229/99.11999 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <mark@digitalvideoforum.net> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Mon, 07 Jan 2008 23:26:16 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: see@My_Postinied_PN_Account.plus.com
Delivery-date: Thu, 10 Jan 2008 14:46:49 +0000
Received: from exprod5mx229.postini.com ([64.18.0.115] helo=psmtp.com)
  by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1JCygB-0002na-Oq
  for see@My_Postinied_PN_Account.plus.com; Thu, 10 Jan 2008 14:46:48 +0000
Received: from source ([213.83.65.106]) by exprod5mx229.postini.com ([64.18.4.13]) with SMTP;
Thu, 10 Jan 2008 09:46:45 EST
Received: from user by office2.wayahead.com with ESMTP; Thu, 10 Jan 2008 14:45:39 -0000
Message-Id: <2008110144539792@BLADE5>
From: "seetickets.com" <donotreply@seezz3.com>
To: "seetickets.com" <mailing@seezz3.com>
Date: Thu, 10 Jan 2008 14:45:39 0000
Subject: See Jose Gonzalez, Willie Nelson, London Fashion Weekend
X-Mailer: ExclamationSoft Corporation Mail Version 3.0
X-MSMail-Priority: NORMAL
MIME-Version: 1.0
Content-Type: text/plain
X-Server: VPOP3 V2.1.0h - Registered
X-pstn-neptune: 2/2/1.00/90
X-pstn-levels: (S: 0.28769/99.63307 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <donotreply@seezz3.com> [db-null]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Thu, 10 Jan 2008 15:39:05 +0000
X-Agent-Junk-Probability: 0

Quote
Envelope-to: cdwow@My_Postinied_PN_Account.plus.com
Delivery-date: Sat, 12 Jan 2008 02:58:56 +0000
Received: from exprod5mx208.postini.com ([64.18.0.67] helo=psmtp.com)
  by pih-sunmxcore19.plus.net with smtp (PlusNet MXCore v2.00) id 1JDWaE-0005mz-PR
  for cdwow@My_Postinied_PN_Account.plus.com; Sat, 12 Jan 2008 02:58:55 +0000
Received: from source ([206.16.20.248]) by exprod5mx208.postini.com ([64.18.4.10]) with SMTP;
Fri, 11 Jan 2008 18:58:53 PST
Date: Sat, 12 Jan 2008 02:37:12 +0000
Message-Id: <1200105432.eb40.CDWW.28285.53993685MSOSI1:77OSIMS@email-cdwow.com>
From: "CD WOW!" <members@email-cdwow.com>
Reply-To: members@cd-wow.com
To: cdwow@My_Postinied_PN_Account.plus.com
Subject: Offers of the day! Amazing Chart DVDs from only GBP 8.99
MIME-Version: 1.0
X-Mailer: eBizmailer4.0
List-Unsubscribe: <mailto:listunsub+LU+CDWW+28285+53993685+cdwow=My_Postinied_PN_Account.plus.com@email-cdwow.com>
Content-Type: multipart/alternative; boundary="---===_OSI_MRIANVNII_16062001_28385.1200105432-889598"
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.18608/99.50514 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <members@email-cdwow.com> [20/1]
X-pn-pstn: Spam 2
X-Agent-Received: from PN POP My_Postined_Account (mail.plus.net); Sat, 12 Jan 2008 03:45:37 +0000
X-Agent-Junk-Probability: 0
Community Veteran
Posts: 1,886
Registered: 05-04-2007

Re: Please post evidence of postini false postives here

Me too Mike...
Quote
X-Daemon-Classification: SPAM
Envelope-to: *****@***********.plus.com
Delivery-date: Fri, 11 Jan 2008 08:28:56 +0000
Received: from exprod5mx214.postini.com ([64.18.0.73] helo=psmtp.com)
  by pih-sunmxcore15.plus.net with smtp (PlusNet MXCore v2.00) id 1JDFG3-0006I6-2u
  for *****@***********.plus.com; Fri, 11 Jan 2008 08:28:55 +0000
Received: from source ([217.27.244.132]) by exprod5mx214.postini.com ([64.18.4.10]) with SMTP;
Fri, 11 Jan 2008 00:28:53 PST
Received: from mail.nsi-ltd ([194.93.135.150]) by nsi-mail2.nsi-ltd.com with Microsoft SMTPSVC(6.0.3790.0);
Fri, 11 Jan 2008 08:31:54 +0000
Received: from [192.168.1.146] by mail.modoracle.com (GMS 8.01.3088/NY8415.01.035cfeb6) with ESMTP id vwdsppaa for *****@*********.plus.com; Fri, 11 Jan 2008 08:28:50 +0000
Content-type: text/html
Date: Fri, 11 Jan 2008 08:18:27 +0000
From: newsletter@policeoracle.com
Subject: [-SPAM-] Daily Police News Brief
To: *****@********.plus.com
Message-Id: <08285029658582@mail.modoracle.com>
X-OriginalArrivalTime: 11 Jan 2008 08:31:54.0272 (UTC) FILETIME=[6BBA3A00:01C8542C]
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.19160/99.51690 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <newsletter@policeoracle.com> [21/1]
X-pn-pstn: Spam 2
X-PN-Spam-Filtered: by PlusNet MXCore (v3.00)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Fri Jan 11 08:28:56 2008
X-DSPAM-Confidence: 0.4789
X-DSPAM-Improbability: 1 in 93 chance of being ham
X-DSPAM-Probability: 1.0000
X-DSPAM-Factors: 15,
Received*helo=psmtp.com), 0.00486,
X-pstn-settings*(0.1500, 0.99216,
X-pstn-settings*1, 0.99216,
X-pstn-settings*0.1500), 0.99213,
X-pn-pstn*2, 0.99000,
Received*([64.18.4.10]), 0.99000,
Received*roger, 0.99000,
Arrested, 0.01000,
Envelope-to*roger, 0.99000,
Loxton, 0.01000,
Time&nbsp, 0.01000,
Received*(GMS, 0.99000,
Subject*Brief, 0.01000,
X-pn-pstn*Spam, 0.99000,
HEIGHT="7", 0.01000


pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

do you blank out my e-mail address for false positives or do I before I send then to you?
I have 4 from this month
pwebb
Grafter
Posts: 65
Registered: 05-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Quote from: mikeb
There are 2 headers of interest but the most obvious one is:
X-pn-pstn: spam2
Any message containing this header has been considered as being spam. The slightly less obvious postini header that can also be checked looks something like this:
X-pstn-levels: (S: X.XXXXX/94.26347 R:95.9108  ..... C:98.6951 )
If the first number (X.XXXXX) is <0.3000 then the message has been considered as spam.  Everything else in the header is not that relevant for this exercise and can be ignored.

For reporting purposes in the thread, can we use <0.150 rather than <0.3000 which is currently what is being used to set the header tag. When we roll out some changes next week (Which should include Postini Header tagging rather than dspam headers for people already moved) we will be bringing the threshold in line with the Postini value.
Quote from: mikeb
PS: Perhaps PN would like to comment on each example that turns up advising why the message received such a poor score and was classified as spam when it quite clearly wasn't.

I'm happy to look at doing this, but without the body of the message as well as the headers it's virtually impossible to do. The reason that a message is classified as spam will in most cases be down to the content in the message, for example URLs or http content lower the score, not starting the message with a salutation etc. We can make some general observations based on headers such as strange from address, subject, to address not you etc.
I'm not sure if people are happy to post the body of message here or if we need to set-up a mailbox for the review of these where the whole message can be sent as an attachment for review?
Phil
Community Veteran
Posts: 26,688
Thanks: 911
Fixes: 10
Registered: 10-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

If all you are going to post here is the headers, people may as well post the headers in to the Postini tool:
http://www.postini.com/support/header_analyzer.php
Without the message body Plusnet could not tell you any more of the reasons why an email was rejected.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
MrToast
Grafter
Posts: 550
Registered: 31-07-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Quote from: mikeb
PN advised a while ago that postini have guaranteed them a 98% spam detection rate with 0.0003% false positives.

Without a definition of SPAM how can this be measured?
BTW from reading the Postini site they make the above claim, but no mention of guarantee there... though I too saw a post here from PN to that effect.
So far as I know neither Postini nor PN have offered a clear definition of SPAM. This is not an idle question if you are making claims of 0.0003%
mikeb
Grafter
Posts: 367
Registered: 10-06-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Thanks for info posted so far chaps Smiley
@davidhh: The problem you are seeing is a problem with DSPAM and not a possible problem with postini.  In fact, postini have scored your example yahoo.groups message as 99.9% genuine.  This appears to be the 'norm' as just about all my yahoo.groups messages also get top scores.  DSPAM is, erhm, ... not very good shall we say Wink and I'm sure there will be mucho cheering and flag waving from those who (try to) use it when it finally bites the dust !
@Mr.Moderator: The dpam issue that was merged into this thread is technically O/T because it is most definitely a dspam issue and not related to postini at all. I believe the user was quite correct in not putting it in here, particularly as my initial request makes the point of NOT recording dspam problems but ONLY messages with a postini score <0.3. I'm quite sure that there must be a more relevant thread to merge dspam issues into as opposed to this one. I would very much like this thread to remain 100% focused on examples of postini false positives and avoid it becoming too much of a general discussion or getting a bit side-tracked. I believe that it is in EVERYONE'S best interest to have one single thread dedicated to collecting data about one single problem rather than have data all over the place and it potentially getting lost or over-looked in amongst a sea of more general or only slightly related comments.  Can I please ask you to reconsider ? Is there any chance you could possibly unmerge the dspam query (and any relevant responses) to ensure this thread remains 100% on topic and restore the original title ? (although preferably without my original typo ! The thread is not about "avoiding spam" it is solely for collecting evidence of one single issue with postini that I believe PN need to address.
@Phil: I would much prefer to keep the threshold at the current level of <0.3 as specifically requested because this is what it currently is. It may or may not get changed sometime soon but that is sort of irrelevant at this point in time and in any case, it provides some additional safety margin over the 0.15 you suggest will ultimately be used by PN at some time in the future. If a 100% genuine message is only achieving a score of 0.3 then I would still suggest that there is something very wrong somewhere to result in such a ridiculously low score. Going by the way postini scores drift if not randomly change (i.e. similar if not identical messages can get quite different scores) then it is very possible that >0.3 one week will be <0.15 the next ! PLEASE CONTINUE TO REPORT MESSAGES WITH A SCORE <0.3 AS INITIALLY REQUESTED. If PN do actually change their definition of "SPAM 2" at some point then so be it.
@Jelv: Posting the postini analyzer results doesn't provide any useful (for the intended purpose) data whatsoever. The object of this exercise is to establish the 'type' of messages being problematic, the source of such messages and scale of the problem.  What postini think in general is not relevant, the only relevant piece of postini information is that they have given the message a ridiculously low spam score.
@pierre_pierre: If you paste a copy of the message headers into a post on this thread, they should look very similar to those already posted above. However, in the data you pasted there will several instances of your personal e-mail address:
i.e. Your.Real.Name@Your_Plusnet_Username.plus.com
and you need to edit each and every one of those instances to something that doesn't tell the whole world exactly what your current e-mail address is so they can spam you more ! Change it to anything you like or simply "X" it out so that it reads xxx@xxxx.plus.com  It's just a sensible security precaution that's all and it's generally only your personal e-mail address that needs editing. However, if the email is from a personal contact rather than a business contact then perhaps you also need to edit the sender's details subtly as well. Your mate certainly wont thank you for posting his e-mail address in public but some_company.com obviously isn't going to be a problem.
@Mr.Toast: Yeah, I know, it's all down to interpretation of the small print and more than a bit of a joke and all that so you're never ever going to get any sort of definitive answer on that question !  After all, I could provide PN a system that achieves 100% detection of spam with 0% of false positives as measured at the customers mailbox and it wouldn't matter how you choose to define spam - you could have any definition you want - I would absolutely guarantee those figures and pay you £1K for every false positive you receive.  That's brilliant I hear you all shout, how can you do that ... simple, I'll just unplug the server or delete all your mail on receipt so nothing ever gets to you !  With no mail being received then you can't possibly have any spam so that's a 100% detection rate and there can't possibly be any false positives either because there aren't any messages falsely being marked as spam in your mailbox Tongue  What postini are offering by way of their SLAs is not that far away from my solution Wink Their SLAs apply SOLELY to delivered mail and NOT to mail that is dumped or rejected on receipt.  The SLAs are totally meaningless without clear definitions and are completely irrelevant if mail is potentially being lost rather than delivered.
I entirely agree with what you're saying of course but there will never be a definitive answer. I personally consider spam as something that is completely un-solicited and generally trying to sell me something.  I consider a false positive to be a message from a specific sender who I want to receive mail from and who has my explicit permission to contact me at this e-mail address but someone or something else has considered their message to be spam and has either prevented me from seeing it at all or has marked it in some way to identify it as spam.
pwebb
Grafter
Posts: 65
Registered: 05-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Quote from: mikeb
@Phil: I would much prefer to keep the threshold at the current level of <0.3 as specifically requested because this is what it currently is. It may or may not get changed sometime soon but that is sort of irrelevant at this point in time and in any case, it provides some additional safety margin over the 0.15 you suggest will ultimately be used by PN at some time in the future. If a 100% genuine message is only achieving a score of 0.3 then I would still suggest that there is something very wrong somewhere to result in such a ridiculously low score. Going by the way postini scores drift if not randomly change (i.e. similar if not identical messages can get quite different scores) then it is very possible that >0.3 one week will be <0.15 the next ! PLEASE CONTINUE TO REPORT MESSAGES WITH A SCORE <0.3 AS INITIALLY REQUESTED. If PN do actually change their definition of "SPAM 2" at some point then so be it.

People can of course report whatever they want and if you want to continue reporting at < 0.3 that's fine , but I am more interested in the ones with a threshold of < 0.15 as these are the ones that will have the subject line marking. On your example above, it's also possible  that a score of >0.3 one week could drift to > 1.0 the next.
One general point that I have seen from all of the messages that have been posted so far is that they are all either mailing list types messages addressed to multiple recipients or machine generated messages both of which will by definition appear more spammy and score less that a person to person e-mail.
I'm interested in your thoughts on my suggestion that we need to see the body of the message too and how we can best deal with that?
Phil
Community Veteran
Posts: 26,688
Thanks: 911
Fixes: 10
Registered: 10-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

I support Mike's request for the de-merger of this topic - I was considering commenting on this before I saw Mike's post.
I'm not suggesting posting the results of the Postini analysis - I'm saying there doesn't seem to be any point in going to the effort of removing identifying information and just posting the headers and then asking Plusnet for an explanation of why it was identified as spam - they will not be able to tell you any more than the analyser will tell you.
I do think it is a good idea that we log basic details of emails wrongly identified as spam until such time as Plusnet provide an email address where we can forward the complete unedited email as an attachment.
I've received four emails in the last couple of days like this (strange that after a month with none I get four together). Here are the details


Log from my Netgear Router
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels:    (S: 0.14218/99.40015 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )



Notification of vacancies from www.jobsite.co.uk - I get at least two of these every day and this is the first that has been marked as spam
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels:    (S: 0.16916/99.46496 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <jbe-vac@jobsite.co.uk> [db-null]
X-pn-pstn: Spam 2



Marketing email from BT sent direct to my email address registered to my BT telephone account for a Nokia 2610
X-pstn-neptune: 8/7/0.88/90
X-pstn-levels:    (S: 0.04249/98.86244 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <btbroadband@comms.bt.com> [db-null]
X-pn-pstn: Spam 2



"Print your festive snaps at Kodak Express" again sent direct to an email address I registered with them.
X-pstn-neptune: 8/5/0.62/84
X-pstn-levels:    (S: 0.08464/99.16566 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <kodak_digital_europe@emails.kodak.com> [db-null]
X-pn-pstn: Spam 2

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
mikeb
Grafter
Posts: 367
Registered: 10-06-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Quote from: pwebb
On your example above, it's also possible  that a score of >0.3 one week could drift to > 1.0 the next.

Quite true of course but again,  I would suggest that such a low score is probably not appropriate either.  I do hear what you're saying but there isn't really a 'good' figure to use because of the natural variability in the scoring never mind any strange problems there might be. I think 0.3 is as good a figure as any for the purposes of establishing the scale of the problem and by looking at the headers you can see how many false positives are <0.15 and how many are between 0.15 and 0.3.
Quote
One general point that I have seen from all of the messages that have been posted so far is that they are all either mailing list types messages

Of course they are and that's exactly what I would expect. I would not expect to see ANY false positives from a more 'personal' contact - just business contacts, mail lists and other automatically generated confirmations etc.  All of these are by definition not spam and the scoring algorithms need to take this into account. No one cares how hard it is to do that, it's postini's problem and they're are being paid handsomely to do the job.  A specification is a specification and it is by no means unreasonable for users to expect compliance with stated performance criteria. You wouldn't be trying to tell me that my message contained the word "zebra" and a link to picture of one plus it came from someone called "Pierre" in "France" and therefore it's quite acceptable for it to considered as spam so don't try to tell me that certain other types of mail can reasonably be considered as being spam willy-nilly either !  Or are you telling me that a PN A/C is not suitable for business use or receiving any other form of automatically generated mail but is only suitable for receiving mail that is sent directly from one identifiable person to another  Tongue
Quote
I'm interested in your thoughts on my suggestion that we need to see the body of the message too and how we can best deal with that?

I'm sure you're right here but I'm not sure what the answer is. Some users may not be comfortable with posting the whole lot and it would take up several acres of space in any case ! My primary aim was to determine the scale of the problem rather than specifically address each response in great detail although some general comment would of course be great.  Maybe PN need to set up a dedicated address for messages to be forwarded to ... in fact, maybe they should have thought about all this and done something well before transferring users to postini in the first place.  A trial with no dedicated means of reporting and no single point of contact is at best not helpful. A system being used in anger with no means of reporting and no means of training and no means of user control is at best a bit useless.  All comments IMHO of course, YMMV and all that Smiley
Community Veteran
Posts: 6,111
Thanks: 1
Registered: 05-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

I also agree that the two threads shouldn't have been merged... it's just making reading the one I wanted to read (about Postini false positives) confusing. Undecided
Anyway, I also think a dedicated PN mailbox, akin to notspam@despamchecker.plus.com, would be a good idea whilst the kinks in Postini are working out, but for now I do have one false positive. It was a request to fill in survey about my Waterstones clubcard; I can understand why it would have been marked as spam, but still, I wouldn't have wanted it to have been so (as there was the offer of 100 free points for filling it in!).
X-Pstn-Neptune: 	2/1/0.50/74
X-Pstn-Levels: (S: 0.08149/99.11470 R:95.9108 P:95.9108 M:97.0282 C:99.7951 )
X-Pstn-Settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-Pstn-Addresses: from <response@waterstones.cardsurvey.co.uk> [db-null]
X-Pn-Pstn: Spam 2

Community Veteran
Posts: 26,688
Thanks: 911
Fixes: 10
Registered: 10-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

How about spam@postini.plus.com and notspam@postini.plus.com - that account name is free at present.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 1,886
Registered: 05-04-2007

Re: Please post evidence of postini false postives here [Merged with Avoiding [spam]

Quote from: mikeb

@Mr.Moderator: The dpam issue that was merged into this thread is technically O/T because it is most definitely a dspam issue and not related to postini at all. I believe the user was quite correct in not putting it in here, particularly as my initial request makes the point of NOT recording dspam problems but ONLY messages with a postini score <0.3. I'm quite sure that there must be a more relevant thread to merge dspam issues into as opposed to this one. I would very much like this thread to remain 100% focused on examples of postini false positives and avoid it becoming too much of a general discussion or getting a bit side-tracked. I believe that it is in EVERYONE'S best interest to have one single thread dedicated to collecting data about one single problem rather than have data all over the place and it potentially getting lost or over-looked in amongst a sea of more general or only slightly related comments.  Can I please ask you to reconsider ? Is there any chance you could possibly unmerge the dspam query (and any relevant responses) to ensure this thread remains 100% on topic and restore the original title ? (although preferably without my original typo ! The thread is not about "avoiding spam" it is solely for collecting evidence of one single issue with postini that I believe PN need to address.

I've reconsidered and de-merged the threads to avoid confusion - my apologies, as the post that I merged in, I originally thought was referring to postini, but as correctly pointed out by yourself and John, I was in the wrong (Nothing new there!  Wink )
Moderator
Moderator
Posts: 26,547
Thanks: 1,542
Fixes: 101
Registered: 14-04-2007

Re: Please post evidence of postini false positives here

Here are a couple of newsletters I have subscribed to some time ago, Soundcontrol and Play.com, both flagged as Spam 2.
Genuine spam I receive is stuff targeted at the mx.core or mx.last.....until they are locked down.
Quote
Envelope-to: me@mydomain.co.uk
Delivery-date: Fri, 11 Jan 2008 19:05:09 +0000
Received: from exprod5mx220.postini.com ([64.18.0.79] helo=psmtp.com)
  by pih-sunmxcore16.plus.net with smtp (PlusNet MXCore v2.00) id 1JDPBj-0002vx-NF
  for me@mydomain.co.uk; Fri, 11 Jan 2008 19:05:08 +0000
Received: from source ([213.166.22.124]) by exprod5mx220.postini.com ([64.18.4.10]) with SMTP;
Fri, 11 Jan 2008 11:05:05 PST
Received: (qmail 26293 invoked by uid 113); 11 Jan 2008 19:03:13 +0000
To: me@mydomain.co.uk
Subject: Massive Clearance Sale
Date: Fri, 11 Jan 2008 19:03:13 +0000
From: "soundcontrol@soundcontrol.co.uk" <soundcontrol@soundcontrol.co.uk>
Message-ID: <a62c1ac24de41790a4e6dc066cd7e320@localhost.localdomain>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-pstn-levels:    (S: 0.00000/97.13842 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <soundcontrol@soundcontrol.co.uk> [21/1]
X-pn-pstn: Spam 2
X-PN-VirusFiltered: by PlusNet MXCore (v2.00)

Quote
Envelope-to: me@mydomain.co.uk
Delivery-date: Fri, 11 Jan 2008 18:57:50 +0000
Received: from exprod5mx201.postini.com ([64.18.0.60] helo=psmtp.com)
  by pih-sunmxcore18.plus.net with smtp (PlusNet MXCore v2.00) id 1JDP4f-0000te-3T
  for me@mydomain.co.uk; Fri, 11 Jan 2008 18:57:50 +0000
Received: from source ([63.111.28.148]) by exprod5mx201.postini.com ([64.18.4.10]) with SMTP;
Fri, 11 Jan 2008 13:57:47 EST
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=spop; d=newsletters.play.com;
b=ng8thWz7hImsH+nVXp0K2yFJwc11h/DoLB2qzUgC+uKMe+eLhuqRSaV9gBAt4gTkJ2pCw5gtXz2G
  gRKryXTjfA==;
Received: by mail1274.newsletters.play.com (PowerMTA(TM) v3.2r17) id hguu2o0beoca for <me@mydomain.co.uk>; Fri, 11 Jan 2008 13:56:38 -0500 (envelope-from <v-lmiao_fimihjof_cjabcpl_cjabcpl_a@bounce.newsletters.play.com>)
Message-ID: <29888851.1200077798164.JavaMail.app@mx02.pdkp1>
Date: Fri, 11 Jan 2008 13:56:38 -0500 (EST)
From: "Play.com" <newsletter@newsletters.play.com>
Reply-To: newsletter@newsletters.play.com
To: me@mydomain.co.uk
Subject: Play.com: 80% Off In Our Monster Sale - New titles added!
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_12209_25437379.1200077763278"
x-mid: 772110
List-Unsubscribe: <mailto:v-lmiao_fimihjof_cjabcpl_cjabcpl_a@bounce.newsletters.play.com?subject=Unsubscribe>
X-pstn-neptune: 39/2/0.05/67
X-pstn-levels:    (S: 0.06282/99.01557 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 r p m c
X-pstn-addresses: from <newsletter@newsletters.play.com> [21/1]
X-pn-pstn: Spam 2
X-PN-VirusFiltered: by PlusNet MXCore (v2.00)

Customer and Forum Moderator.