From Roaring Penguin
Revision as of 11:41, 18 April 2017 by JohnMertz (talk | contribs) (Function of Thresholds)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Function of Thresholds

CanIt uses 3 thresholds that are somewhat confusingly numbered and named. Their basic function is described below:

  • <S-300 - Messages below this will go directly to the inbox. (Default: 5)
  • <S-100 - Messages above S-300, but below this will get placed into the Pending Quarantine (Default: 2000)
  • <S-200 - Messages equal to or above S-100, but below this score will be placed in the Spam Quarantine (Default: 100000)
  • >=S-200 - Messages equal to or above S-200 will be discarded, but we will retain a log of the incident.

These settings can be tweaked from Preferences->Quarantine Settings. Changes should be made in the default stream to apply to all streams.

Score Recommendations

S-300 - Spam threshold

The default value for S-300, 5, is highly recommended. This is a proven score that will block the VAST majority of spam while causing only occasional valid messages to be trapped. Judicious training increases the effectiveness of this value. If you feel like tweaking this, do so by only fractions of a point at a time to see the results. There are a large number of spams that will score exactly 5, so you might be surprised by the impact that even 5.1 can have.

The other two thresholds are flexible and depend on how you value not seeing Spams at all versus the likelihood of false-positives.

S-100 - Automatically reject messages scoring more than this amount

With the default rule set no message will ever score above 2000 and so all mail will either go to the inbox or the pending quarantine (where most users will be alerted to them in the daily notifications).

Administrators often choose to lower this so that users don't have to see, and can't fall victim to obvious spam. A good value for this threshold can be determined by looking at the non-spam quarantine for all users (by switching to the stream "*" and going to Quarantine->Non-Spam). Sorting by score will make it easy to determine the highest scoring message that has been released. A good S-100 value is slightly higher than this message. A common value seems to be somewhere around 20. Anything scoring higher than this will be put directly into the spam quarantine. They will still be accessible from there, but will not be included in the notification email.

You can also use Quarantine->Analysis to get stats on the scores at which 99% of messages that were manually rejected would have been rejected automatically, and at which 99% of messages that were released would have been allowed through automatically. This can also be used to determine a safe score.

S-200 - Auto-reject messages scoring more than this amount without creating an incident

The only real reason to lower the S-200 value is to save disk space that will otherwise be taken up with spam. The trade-off is a slightly higher risk of false-positives being thrown out. We don't have a recommended value for this threshold. If you choose to lower it, be sure to leave lots of room for possible false-positives. Anything above this value will be thrown out, but the incident will be accessible to administrators via Administration->Search Logs if they need to investigate. For on-premises CanIt customers, this requires that the log-indexer package is installed (See 6.1 in the Installation Guide).

Notification Threshold

If you do not wish to lower the S-100 auto-reject threshold but would still like to limit the messages that users are alerted to, this can be done with Preferences->Notification->"Do not include messages scoring above this threshold in notifications (1-2000):". By changing this instead of S-100, any messages scoring higher than that will still be in the Pending quarantine from the WebUI, but they will not be included in the notifications. Thus the user can still release them if they go looking.