Matt - Thank you much for your suggestions. I did not realize about the compounded scoring w/the blackholes & country test - fixed!
I wasn't using the FiveTen tests because I thought I read in this list they were not that reliable - I've added them & will monitor. I was using the in.dnsbl.org tests, you had them omitted - as well as spamdomains. Any particular reason? Also added the BCC test - missed that one - Your filters have been very effective not only in catch spam but getting me to make my own as well eg: got my thought process going - Thanks again! -Nick Date sent: Wed, 12 Nov 2003 14:23:33 -0500 From: Matthew Bramble <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Send reply to: [EMAIL PROTECTED] > Nick, > > I noticed that you are using the blackholes and a country filter. > FYI, this will be almost all caught by the FOREIGN test so keep in > mind that you will be adding even more points by using the three > together and that could result in some false positives (i.e. Russian > originators will get 9 points instead of just three by failing three > tests). > > I personally fail on 10, and my scoring is goign to be a lot different > from yours. I'm attaching the non-custom part of my config below. > This config together with my filters (which the best ones are > configured on your system) some header stuff from Kami and Message > Sniffer are blocking minimally 98% on my system with hardly any issues > with FP's. It seems that you might be mostly failing on a scor of 15, > in which case, you might want to adjust the scores of my filters up by > 50% (which requires some adjustments inside of the files as well). > One of the issues might be the wide range of scores that you fail on. > My system will only block about 92% if I failed at a score of 20, so I > have only three levels set at 10, 13 and 16, and try to keep my > scoring tight enough so that all FP's will come in below 20. Getting > tighter here might be beneficial, however you would really have to > readjust a lot of things to make that work, though not by much from > appearances. I would also recommend moving your whitelist into a > filter file and only subtracting 10 or less points because spammers > will fake reverse DNS settings and you have some domains that are > likely to be targeted there. That way, something that is spam should > still fail, but it will protect from FP's on several of the RBL's. > Here's my config: > > LOGLEVEL LOW > HOP 0 > CONSOLE OFF > LOOSENSPAMHEADERS ON > > DSBL ip4r list.dsbl.org * 7 0 > ORDB ip4r relays.ordb.org * 7 0 > SPAMCOP ip4r bl.spamcop.net 127.0.0.2 9 > 0 EASYNET-DYNA ip4r dynablock.easynet.nl 127.0.0.2 > 4 0 EASYNET-DNSBL ip4r blackholes.easynet.nl > 127.0.0.2 5 0 EASYNET-PROXIES ip4r > proxies.blackholes.easynet.nl 127.0.0.2 7 0 FIVETEN-SPAM > ip4r blackholes.five-ten-sg.com 127.0.0.2 4 0 > FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 > 4 0 FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com > 127.0.0.5 5 0 FIVETEN-SPAMSUPPORT ip4r > blackholes.five-ten-sg.com 127.0.0.7 4 0 FIVETEN-MISC > ip4r blackholes.five-ten-sg.com 127.0.0.9 7 0 BLITZEDALL > ip4r opm.blitzed.org * 7 0 SBL > ip4r sbl.spamhaus.org 127.0.0.2 50 0 CBL > ip4r cbl.abuseat.org 127.0.0.2 8 0 SBBL > ip4r sbbl.they.com * 4 0 > > SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 6 > 0 SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 6 > 0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 > 6 0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 > 6 0 SORBS-SPAM ip4r dnsbl.sorbs.net > 127.0.0.6 5 0 > > MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com > 127.0.0.2 9 0 > MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com > 127.0.0.2 9 0 > DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 1 > 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 > 1 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org > 127.0.0.3 1 0 > > BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 > -50 0 > > BADHEADERS badheaders x x 5 0 > HELOBOGUS helovalid x x 4 0 > MAILFROM envfrom x x 7 0 > IPNOTINMX ipnotinmx x x 0 -2 > PERCENT percent x x 2 0 > #REVDNS revdnsexists x x 0 0 > ROUTING spamrouting x x 7 0 > SPAMHEADERS spamheaders x x 5 0 > NOLEGITCONTENT nolegitcontent x x 0 -1 > BASE64 base64 x x 3 0 > COMMMENTS comments 5 x 7 0 > NONENGLISH nonenglish x x 2 0 > > BCC-3 bcc 3 x 1 0 > BCC-5 bcc 5 x 1 0 > > SUBSPACE-15 subjectspaces 15 x 1 0 > SUBSPACE-25 subjectspaces 25 x 2 0 > SUBSPACE-40 subjectspaces 40 x 3 0 > > > Matt > > > > > > Nick Hayer wrote: > > >Jonathan, > > > >Here is my setup - hopefully it will help. Anyone feel free to tell > >me what I have messed up... > > > > -Nick > > > > > >#GLOBAL.CFG <edited> > ># > >#SETTINGS > >################################## > >CONSOLE ON > >HOP 0 > >#HOPHIGH 1 > >IPBYPASS 127.0.0.1 > >LOOSENSPAMHEADERS OFF > >LOGFILE spool\dec####.log > >LOGLEVEL MID > >PREWHITELIST ON > >WHITELIST AUTH > >XSENDER ON > >XSPOOLNAME ON > > > >#HEADERS > >################################## > >XINHEADER X-Country-Chain: %COUNTRYCHAIN% > >XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. > > XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADER X-Note: > >Reverse DNS: %REVDNS%. XINHEADER X-Note: Header code: %HEADERCODE% > >XINHEADER X-Note: Queue name: %QUEUENAME% XOUTHEADER X-Note: > >Total spam weight of this e-mail is %WEIGHT%. XOUTHEADER X-Note: > >Reverse DNS %REVDNS% . > > > >#FROMFILE > >################################## > >BADSENDERS fromfile e:\IMail\Declude\badaddresses.txt x 5 0 > >KillListGen fromfile e:\IMail\Declude\Destination.txt x 10 0 > > > >#IPFILE > >################################## > >ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 > > 0 > > > >#FILTERS > >################################## > >ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt > > x > > 3 0 > >ANTI-GIBBERISHSUB filter e:\IMail\Declude\filters\Anti-GibberishSub.t > >xt x -4 0 > >ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt > > > > x -11 0 BODYCURSE filter > > e:\IMail\Declude\filters\bodycurse.txt > > x 3 0 BODYSEX filter > >e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY > > filter > > e:\imail\declude\filters\country.txt x 6 0 > >DBL filter e:\IMail\Declude\filters\dbl.txt > > x 0 0 > >DNS_TESTS filter e:\IMail\Declude\filters\dns_tests.txt > > x 0 0 > >DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt > > x 3 0 > >FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt > > x 3 0 > >GIBBERISH filter e:\IMail\Declude\filters\Gibberish.txt > > x 4 0 > >GIBBERISHSUB filter e:\IMail\Declude\filters\GibberishSub.txt > > x 4 0 > > GMA_SENT filter e:\imail\declude\filters\gma.txt > > x 0 0 > >MALICIOUS filter e:\IMail\Declude\filters\viri.txt > > x 6 0 > >OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt > > x 7 0 > >REVDNSCK filter e:\IMail\Declude\filters\revdns.txt > > x 0 0 > >SUBJCURSE filter e:\IMail\Declude\filters\subjcurse.txt > > x 3 0 > >SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt > > x 3 0 > >TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt > > x 3 0 > >TLD-ASIAN filter e:\IMail\Declude\Filters\TLD-Asian.txt > > x 3 0 > >TLD-CARIBBEAN filter e:\IMail\Declude\Filters\TLD-Caribbean.txt > > x 3 > > 0 > >TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmeric > >an.txt x 3 0 > >TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEurope > >an.txt x 3 0 > >TLD-MIDDLEEASTERN filter e:\IMail\Declude\Filters\TLD-MiddleEastern.t > >xt x 3 0 > >TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt > > x 3 0 > >TLD-SOUTHAMERICAN filter e:\IMail\Declude\Filters\TLD-SouthAmerican.t > >xt x 3 0 > >TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEurope > >an.txt x 3 0 > >TLD-TRUSTED-HELO filter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt > > x 0 0 > >TLD-TRUSTED-MAILFROM filter e:\IMail\Declude\Filters\TLD-Trusted-MAIL > >FROM.txt x 0 0 > >TLD-TRUSTED-REVDNS filter e:\IMail\Declude\Filters\TLD-Trusted-REVDNS > >.txt x 0 0 > >VIRUSBLK filter e:\IMail\Declude\filters\virusblk.txt > > x 50 0 > >WORDFILTER filter e:\IMail\Declude\filters\wordfilter.txt > > x 3 0 > >XHEADERS filter e:\IMail\Declude\filters\xheaders.txt > > x 0 0 > >Y!DIRECTED filter e:\IMail\Declude\filters\Y!Directed.txt > > x 11 0 > > > >#WHITELISTS > >################################## > >WHITELIST AUTH > >WHITELIST HABEAS > >WHITELIST REVDNS .amazon.com > >WHITELIST REVDNS .ebay.com > >WHITELIST REVDNS .expedia.com > > > >#IPR4 > >################################## > >BLACKHOLE-BRAZIL ip4r brazil.blackholes.us 127.0.0.2 3 > >BLACKHOLE-CHINA ip4r china.blackholes.us 127.0.0.2 > > 3 > >BLACKHOLE-HONGKONG ip4r hongkong.blackholes.us 127.0.0.2 3 > >BLACKHOLE-JAPAN ip4r japan.blackholes.us 127.0.0.2 > > 3 > >BLACKHOLE-KOREA ip4r korea.blackholes.us 127.0.0.2 > > 3 > >BLACKHOLE-LEVEL3 ip4r level3.blackholes.us 127.0.0.2 3 > >BLACKHOLE-RR ip4r rr.blackholes.us 127.0.0.2 4 > >BLACKHOLE-RUSSIA ip4r russia.blackholes.us 127.0.0.2 3 > >BLACKHOLE-VERIO ip4r verio.blackholes.us 127.0.0.2 > > 3 > >BLACKHOLE-XO ip4r xo.blackholes.us 127.0.0.2 3 > >BLITZEDALL ip4r opm.blitzed.org * 7 > > 0 > >BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20 > > 0 > >CBL ip4r cbl.abuseat.org 127.0.0.2 4 > > 0 > >DSBL ip4r list.dsbl.org * 5 > > 0 > >EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 > > 5 0 > >EASYNET-DYNA ip4r dynablock.easynet.nl 127.0.0.2 4 > > 0 > >EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 > > 6 0 > >INTERSIL ip4r blackholes.intersil.net 127.0.0.2 4 > > 0 NJABL ip4r > >dnsbl.njabl.org 127.0.0.2 5 > >ORDB ip4r relays.ordb.org * 5 > > 0 > >SBL ip4r sbl.spamhaus.org 127.0.0.2 7 > > 0 > >SBBL ip4r sbbl.they.com * 6 > > 0 > >SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 6 > > 0 > >SORBS-NOMAIL ip4r dnsbl.sorbs.net 127.0.0.12 5 > > 0 SORBS-HTTP ip4r > > dnsbl.sorbs.net 127.0.0.2 5 0 SORBS-BLOCK > > ip4r > >dnsbl.sorbs.net 127.0.0.8 5 0 SORBS-MISC > > ip4r > >dnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP > > ip4r > >dnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SOCKS > > ip4r > >dnsbl.sorbs.net 127.0.0.3 5 0 SORBS-SPAM > > ip4r > >dnsbl.sorbs.net 127.0.0.6 1 0 SORBS-WEB > > ip4r > >dnsbl.sorbs.net 127.0.0.7 5 0 SORBS-ZOMBIE > > ip4r > >dnsbl.sorbs.net 127.0.0.9 5 0 > >SPAMCOP ip4r bl.spamcop.net 127.0.0.2 > > 9 0 > > > >#RHSBL > >################################## > >DNSFRAUD rhsbl in.dnsbl.org 127.0.0.3 10 > > 0 > >DNSILLEGAL rhsbl in.dnsbl.org 127.0.0.5 10 > > 0 > >DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 > > 0 > >DNSPROMO rhsbl in.dnsbl.org 127.0.0.4 10 > > 0 > >EASYNET-DOMAINS rhsbl spamdomains.blackholes.easynet.nl 127.0.0.2 > > 5 0 > >MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 > > 8 0 > >MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 > > 10 0 > >NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 > > 2 0 > >NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 > > 0 > >SORBS-BADCONF rhsbl dnsbl.sorbs.net 127.0.0.11 > > 3 0 > > > >#WEIGHT TESTS > >################################## > >WEIGHT10 weight x x 10 0 > >WEIGHT15 weight x x 15 0 > >WEIGHT20 weight x x 20 0 > >WEIGHT24 weight x x 24 0 > >WEIGHT30 weight x x 30 0 > >WEIGHT35 weight x x 35 0 > >SPAM-VHIGH weight x x 26 0 > > > >#WEIGHT RANGE TESTS > >################################## > >SPAM-NONE weightrange x x 0 4 0 > >SPAM-VLOW weightrange x x 5 9 0 > >SPAM-LOW weightrange x x 10 14 0 > >SPAM-MID weightrange x x 15 19 0 > >SPAM-HIGH weightrange x x 20 25 0 > > > >#OTHER TESTS > >################################## > >BADHEADERS badheaders x x 8 0 > >BASE64 base64 x x 4 0 > >BYPASSWHITELIST bypasswhitelist 35 2 0 0 > >CATCHALLMAILS catchallmails x x 0 0 > >COMMENTS comments x x 7 0 > >HELOBOGUS helovalid x x 6 0 > >HEUR10 heuristics 10 x 3 0 > >IPNOTINMX ipnotinmx x x 0 -3 > >MAILFROM envfrom x x 12 0 > >NOLEGITCONTENT nolegitcontent x x 0 -5 > >NON_ENGLISH nonenglish x x 1 0 > >PERCENT percent x x 10 0 > >REVDNS revdnsexists x x 4 0 > >ROUTING spamrouting x x 4 0 > >SNIFFER external nonzero "e:\Sniffer\sniffer2.exe > >xnk05x5vmipeaof7" 9 0 SPAMCHK external weight > >"e:\imail\declude\spamchk\spamchk.exe" SPAMDOMAINS > > spamdomains e:\IMail\Declude\sd.txt x 6 0 > >SPAMHEADERS spamheaders x x 3 0 SUBJECTCHARS > >subjectchars 60 x 3 0 > >SUBJECTSPACES subjectspaces 15 x 3 0 > >################################## > > > >#OUTGOING ACTIONS > >#==================================================================== > >#============================ # DELETE > >BADSENDERS DELETE > >IPBLACKLIST DELETE > >KILLLISTGEN DELETE > >WEIGHT35 DELETE > >#==================================================================== > >#============================ # HOLD > >WEIGHT30 HOLD > >#==================================================================== > >#============================ # SUBJECT > >Spam-LOW SUBJECT [Possible Spam(low)]- > >Spam-MID SUBJECT [Possible Spam(mid)]- > >Spam-HIGH SUBJECT [Possible Spam(high)]- > >Spam-VHIGH SUBJECT [Possible Spam(vhigh)]- > >#==================================================================== > >#============================ # WARNINGS IP4R > >BLACKHOLE-BRAZIL WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% BLACKHOLE-CHINA WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% BLACKHOLE-HONGKONG WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% > >BLACKHOLE-JAPAN WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% BLACKHOLE-KOREA WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% BLACKHOLE-LEVEL3 WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% BLACKHOLE-RR WARN > > X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >BLACKHOLE-RUSSIA WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% BLACKHOLE-VERIO WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% BLACKHOLE-XO WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% BLITZEDALL WARN > >X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >BONDEDSENDER WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% CBL WARN X-Warning: [%TESTDOMAIN%] This message > >may be spam. %WARNING% DSB WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% EASYNET-DNSBL WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% EASYNET-DYNA WARN > > X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >EASYNET-PROXIES WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% INTERSIL WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% NJABL WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% ORDB WARN > >X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >SBL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. > >%WARNING% SBBL WARN X-Warning: [%TESTDOMAIN%] This message > >may be > >spam. %WARNING% SORBS-DUL WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% SORBS-NOMAIL WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% SORBS-HTTP WARN > >X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >SORBS-BLOCK WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% SORBS-MISC WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% SORBS-SMTP WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% SORBS-SOCKS WARN > >X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >SORBS-SPAM WARN X-Warning: [%TESTDOMAIN%] This message may be spam. > >%WARNING% SORBS-WEB WARN X-Warning: [%TESTDOMAIN%] This message may > >be spam. %WARNING% SORBS-ZOMBIE WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% SPAMCOP WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% > >#==================================================================== > >#============================ # WARNINGS RHSBL > >DNSFRAUD WARN X-Warning: [%TESTDOMAIN%] This message may be spam. > >%WARNING% DNSILLEGAL WARN X-Warning: [%TESTDOMAIN%] This message > >may be spam. %WARNING% DNSPROMO WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% EASYNET-DOMAINS WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% DSN WARN > >X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >MAILPOLICE-BULK WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% MAILPOLICE-PORN WARN X-Warning: [%TESTDOMAIN%] This > >message may be spam. %WARNING% NOABUSE WARN X-Warning: > >[%TESTDOMAIN%] This message may be spam. %WARNING% NOPOSTMASTER WARN > > X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING% > >SORBS-BADCONF WARN X-Warning: [%TESTDOMAIN%] This message may be > >spam. %WARNING% > >################################## > > > >#==================================================================== > >#============================ # WARNINGS OTHER > >XHEADERS WARN X-Note: [%TESTNAME%] %WARNING% > > > > > > > > > >Date sent: Tue, 11 Nov 2003 17:06:27 -0600 > >To: [EMAIL PROTECTED] > >From: Jonathan <[EMAIL PROTECTED]> > >Subject: [Declude.JunkMail] Junkmail Tests and Configs > >Send reply to: [EMAIL PROTECTED] > > > > > > > >>In an effort to clean up our junkmail configs, and only use valid > >>tests, we cleaned out our previous tests (old services that were > >>dead etc) and replaced them with the ones currently in the declude > >>help files. Since then, we've been seeing complaints of increased > >>spam/etc. Does anyone have some good configs they'd be willing to > >>share? Good RBLs to use/etc. I'd really appreciate it, it's gettin > >>pretty bad here. :) > >> > >>Jonathan > >> > >> > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.