For the dyna/dul tests I though the test name had to end with either DYNA or DUL. I noticed you use (DYNA) - does it (declude) just look for the work dyna or dul to limit it to one hop?
Darrell
Matt writes:
I basically came up with a rule where the (DYNA) test gets 3/4 to 2/3 of the points, and the (ALL) test gets 1/4 to 1/3 of the points. To air on the side of caution, I would step the points up on the (DYNA) test until it reached 3/4 and then I would add another point to the (ALL) test, i.e.
3 = 2 & 1
4 = 3 & 1
5 = 4 & 1
6 = 4 & 2
7 = 5 & 2
8 = 6 & 2
9 = 7 & 2
10 = 7 & 3
Here's my current list of split tests, the hardest part is understanding which ones qualify, and that can take some reading:
# Relay Lists (staggered scoring per hop)
AHBL-PROXIES(DYNA) ip4r dnsbl.ahbl.org 127.0.0.3 3 0
AHBL-PROXIES(ALL) ip4r dnsbl.ahbl.org 127.0.0.3 1 0
BLITZEDALL(DYNA) ip4r opm.blitzed.org * 5 0
BLITZEDALL(ALL) ip4r opm.blitzed.org * 2 0
DSBL(DYNA) ip4r list.dsbl.org 127.0.0.2 5 0
DSBL(ALL) ip4r list.dsbl.org 127.0.0.2 2 0
FIVETEN-MISC(DYNA) ip4r blackholes.five-ten-sg.com 127.0.0.9 3 0
FIVETEN-MISC(ALL) ip4r blackholes.five-ten-sg.com 127.0.0.9 1 0
FIVETEN-MULTI(DYNA) ip4r blackholes.five-ten-sg.com 127.0.0.5 3 0
FIVETEN-MULTI(ALL) ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0
NJABL-RELAYS(DYNA) ip4r dnsbl.njabl.org 127.0.0.2 3 0
NJABL-RELAYS(ALL) ip4r dnsbl.njabl.org 127.0.0.2 1 0
ORDB(DYNA) ip4r relays.ordb.org * 5 0
ORDB(ALL) ip4r relays.ordb.org * 2 0
SORBS-HTTP(DYNA) ip4r dnsbl.sorbs.net 127.0.0.2 4 0
SORBS-HTTP(ALL) ip4r dnsbl.sorbs.net 127.0.0.2 2 0
SORBS-MISC(DYNA) ip4r dnsbl.sorbs.net 127.0.0.4 4 0
SORBS-MISC(ALL) ip4r dnsbl.sorbs.net 127.0.0.4 2 0
SORBS-SMTP(DYNA) ip4r dnsbl.sorbs.net 127.0.0.5 4 0
SORBS-SMTP(ALL) ip4r dnsbl.sorbs.net 127.0.0.5 2 0
SORBS-SOCKS(DYNA) ip4r dnsbl.sorbs.net 127.0.0.3 4 0
SORBS-SOCKS(ALL) ip4r dnsbl.sorbs.net 127.0.0.3 2 0
NJABL-PROXIES(DYNA) ip4r dnsbl.njabl.org 127.0.0.9 6 0
NJABL-PROXIES(ALL) ip4r dnsbl.njabl.org 127.0.0.9 2 0
NJABL-MULTI(DYNA) ip4r dnsbl.njabl.org 127.0.0.5 3 0
NJABL-MULTI(ALL) ip4r dnsbl.njabl.org 127.0.0.5 1 0
# Spam Traps (staggered scoring per hop)
SPAMCOP(DYNA) ip4r bl.spamcop.net 127.0.0.2 4 0
SPAMCOP(ALL) ip4r bl.spamcop.net 127.0.0.2 2 0
XBL(DYNA) ip4r sbl-xbl.spamhaus.org 127.0.0.4 6 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
It's of course ugly, but I believe it makes the most sense to do it this way. I did this at the same time that I moved over to multiple hop testing (I test the last 4 hops since my server can handle it currently and that helps with forwarding). I've only seen a few FP's as a result of tagged zombies sending legit E-mail, maybe a couple a week and always just barely failing. Note that all of these scored are based on a hold weight of 10 or 13.
Matt
DLAnalyzer Support wrote:
Matt,
Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop?
Darrell
Matt writes:
You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example:
# Spam Traps (staggered scoring per hop)
SPAMCOP(DYNA) ip4r bl.spamcop.net 127.0.0.2 4 0
SPAMCOP(ALL) ip4r bl.spamcop.net 127.0.0.2 2 0
XBL(DYNA) ip4r sbl-xbl.spamhaus.org 127.0.0.4 6 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass.
I've suggested before that extra columns be added to Declude for such tests so that we can control the score they give according to the hop that they hit on. The full description of this suggestion is in the recent archives.
Note that negative weight tests need to be kept exclusively to the last hop because they do get spoofed in forged headers, and also, RHSBL tests are not hop aware since they pull a domain from the MAILFROM instead of the hops, so you don't need to do anything special with these tests.
Matt
DLAnalyzer Support wrote:
We are setup currently using "HOPHIGH 1". With using a HOPHIGH setting of 1. What we are seeing is an increase in messages that are gettng caught with XBL, DSBL, SORBS, and other tests along this line on the second HOP even though they were legit messages that were sent through normal ISP servers.
How many folks are using HOPHIGH 1? Also, for tests like XBL, DSBL, and others along this line are you changing them to XBL-DUL to only work on the first HOP?
Thanks
Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
------------------------------------------------
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
------------------------------------------------
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
