What is the marking process for SNF4SA?
When using SNF with SNF4SA, SNF results show up as another SA test adding to the score for each message.
You can adjust the cores associated with each SNF result code by adjusting the snf4sa.cf file.
The default settings are:
# Default configuration. GBUdb_max_weight 3.0 snf_result 1 sa_score -5.0 short_circuit_no snf_result 20 sa_score 6.0 short_circuit_yes snf_result 40 sa_score 2.5 short_circuit_no snf_result 47-62 sa_score 4.0 short_circuit_no snf_result 63 sa_score 3.5 short_circuit_no
These settings say that SNF4SA will add a score of 6 points for an SNF result code of 20 (truncate), 2.5 points for an SNF result code of 40 (caution), 4.0 points for most ordinary spam result codes (47-62), and 3.5 for a result code of 63 (black).
In addition to these weights, an additional weight will be added based on IP reputation statistics learned for your system. GBUdb_max_weight 3.0 means that if the reputation of the IP is good then a maximum of -3.0 will be added -- this reduces the SA spam score. Similarly if the IP reputation is bad then a maximum of +3.0 will be added --- this increases the spam score.
If you are using SNF as the primary test in your SA system then you may want to increase these weights significantly.
For example you might use:
snf_result 1 sa_score -5.0 short_circuit_no snf_result 20 sa_score 6.0 short_circuit_yes snf_result 40 sa_score 4.0 short_circuit_no snf_result 47-62 sa_score 5.0 short_circuit_no snf_result 63 sa_score 4.5 short_circuit_no
These weights would mean that unless some other SA test disagrees with SNF then the message should have a score of 5.0 which normally indicates spam in most SA installations.
Note that the other weights for 63 (black) and 40 (caution) are just below the threshold so that they are still somewhat conservative -- however, they are very close so that if any other SA tests agree with SNF then the message would be marked spam by SA. You may chose to make these weights as high as the others if you do not experience any false positives.