Every system is different and has different policies. Some folks prefer to only warn on all spam, while others may delete messages based on any test that fails (including Message Sniffer). The best answers are usually somewhere in between and will depend on your customer base, the resources, software and tools you have at your disposal, and your policies.

Best practice is to combine a number of tests with Message Sniffer in a weighted scheme where each result code can be given an individual weight. For example, the gray hosting group (60) should be weighted low while the porn/adult group (54) should be weighted high.

Under these conditions it is usually ok to hold when a message fails SNIFFER and one other test. Perhaps some rule groups might be weighted high enough to cause a hold, and others reduced in weight to require more than one other test failure.

In any case, if you have false positives, please be sure to submit them to us so that we can adjust your rulebase.