[Asrg] Meta channel, not bounces (was: Re: where the message originated)

[David Wilson]

On Thu, 2009-01-15 at 10:45 -0500, Rich Kulawiec wrote:
> >> Among other things, "malicious" isn't universal.  And anti-virus
> software
> >> does not have a 0% FP rate.)
> >
> > I agree it cannot be 0%, but better than 0.000001% is expected.
> 
> I think that's hopelessly optimistic in real-world settings.  I
> routinely
> see a handful of FP's every month -- then again, I tend to send out
> mail
> talking about spam and phishes and so on, which most people don't.
> Also see Chris's excellent explanation, which I think is roughly
> typical of that at many large sites (it's certainly similar to the
> large sites I've worked on).

If I read Chris' message, then I believe that he is not giving evidence
for AV false positives. He does not trust AV software, so the rejects
quoted are for *all* filtering (presumably various kinds of anti-spam,
as well as AV scanning) and the false positives quoted are for reports
he gets back from rejects (many of which I suspect are seen by the user
in a bounce generated from the MTA which received the reject). So there
is actually no data here on specifically AV false positives, they are
data on false positives from the overall filtering system.

If someone discusses the nature of spam messages or phishing messages
via email, I would think that false positives are not surprising;
annoying, but not surprising. After all, one can be sending a message
containing precisely the kind of thing filters are attempting to detect.
So, I would say that there is a class of positives which should not
count against the detection mechanism.