Subject Tag 12
Hold 20
Delete 30+
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
John Olden writes:
You mention that he should adjust for the weight of his system, but you do
not let him know what weighting system you are using. Can you expand on
that? I.e. Hold at >10, Delete at >20 Thanks.
John Olden
Systems Administrator
Champaign Park District
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Friday, March 04, 2005 9:47 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Beginner configuration?
Joey,
A couple of thoughts.
1.) Look at adding a content test like invURIBL or Message Sniffer. Both
have trials.
2.) I would not give a negative weight for BONDEDSENDER or SPFPASS. Spammers
can easily setup SPF records.
3.) Add a few of the other RBL style tests. make sure you adjust the weight
for your system and add the corresponding entries in the $default$.junkmail
file.
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 12
0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 4
0
UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 6
0
UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 2
0
SENDERDB-BLACK ip4r pub.senderdb.net 127.0.0.2 10
0
SENDERDB-SUSPICIOUS ip4r pub.senderdb.net 127.0.0.4 4
0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 9 0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 12 0
MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2
10 0
Darrell
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
Joey Proulx writes:
Thank you for the response. Here is my global.cfg file:
#========================================= ADVANCED OPTIONS =================================
CONSOLE ON
#IPBYPASS 192.0.2.25
HOP 0
#HOPHIGH 1
#DNS 127.0.0.1
HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT
CATCHALLMAILS catchallmails x x 0 0
NOLEGITCONTENT nolegitcontent x x 0 -5
IPNOTINMX ipnotinmx x x 0 -3
#========================================= WHITELISTS =======================================
#WHITELIST HABEAS
#AUTOWHITELIST ON
PREWHITELIST ON
WHITELIST AUTH
# ----- Domain Example -----
WHITELIST FROM @declude.com
WHITELIST FROM @munis.com
# ----- User Example -----
WHITELIST FROM [EMAIL PROTECTED]
# ----- TO Example -----
#WHITELIST TO postmaster@
#WHITELIST TO abuse@
#========================================= BLACKLISTS =======================================
#BLACKLIST fromfile [path]\Filters\blacklist.txt x 10
0 #BLACKIP ipfile [path]\Filters\blackip.txt x 10
0
#========================================= RBL IP4R TESTS ==========================================
# 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions.
# 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address).
# 3. For type ip4r, 'matchstring' is the string to look for, or "*" for anything.
AHBL ip4r dnsbl.ahbl.org * 6
0 BLITZEDALL ip4r opm.blitzed.org * 7
0 CBL ip4r cbl.abuseat.org 127.0.0.2 6
0 DSBL ip4r list.dsbl.org * 6
0 ORDB ip4r relays.ordb.org * 5
0 SBL ip4r sbl.spamhaus.org * 7
0 SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5
0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5
0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5
0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5
0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 4
0 #SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5
0 SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5
0 SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5
0 SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 4
0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 7
0 #MTLDB ip4r mtldb.declude.com 127.0.0.2 3
0
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
#ADDITIONAL USED RBL IP4R TESTS #FIVETENSRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2
0 #JAMMDNSBL ip4r dnsbl.jammconsulting.com 127.0.0.2 2
0
#========================================= RHBSL TESTS ==========================================
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3
0 #NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2
0 #NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1
0
#========================================= OTHER TESTS ==========================================
BADHEADERS badheaders x x 8 0
BASE64 base64 x x 4 0
CMDSPACE cmdspace x x 8 0
COMMENTS comments x x 7 0
HELOBOGUS helovalid x x 4 0
MAILFROM envfrom x x 12 0
PERCENT percent x x 10 0
REVDNS revdnsexists x x 4 0
ROUTING spamrouting x x 2 0
SPAMHEADERS spamheaders x x 3 0
SPFFAIL spffail x x 3 0
SPFPASS spfpass x x -3 0
#BCC bcc 20 x 5 0
NONENGLISH nonenglish x x 0 0
#SUBJECTCHARS subjectchars 50 x 0 0
#SUBJECTSPACES subjectspaces 12 x 5 0
#=========================================== FILTERS ===============================================
#SUBJECT filter [path]\Filters\Subject.txt x
0 0 #WORD filter [path]\Declude\Filters\Word.txt x
0 0
#========================================= 3RD PARTY =============================================
#SNIFFER external nonzero "[path]\Sniffer\snfrv2r2.exe xnk05x5vmipeaof7"
#SPAMCHK external nonzero "[path]\Spamchk\spamchk.exe" 1
0
#========================================= TRIGGERS ==============================================
WEIGHT10 weight x x 10 0
WEIGHT14 weight x x 14 0
WEIGHT20 weight x x 20 0
#========================================= ADDITIONAL TESTS ========================================
# The following tests are commented out by default because they are not commonly used (or they require a subscription).
#BADWHOIS rhsbl whois.rfc-ignorant.org 127.0.0.5 3
0 #BLARS ip4r block.blars.org * 4 0 #BOGONS ip4r bogons.cymru.com 127.0.0.2 4
0 #COMPU ip4r blackhole.compu.net 127.0.0.4 5
0 #DEVNULL ip4r dev.null.dk 127.0.0.2 5
0 #DORKS ip4r orbs.dorkslayers.com 127.0.0.2 5
0 #DORKZTL ip4r ztl.dorkslayers.com 127.0.0.2 5
0 #DSBLALL ip4r unconfirmed.dsbl.org * 4 0 #DUL ip4r dialups.mail-abuse.org 127.0.0.3 5
0 #FIVETENDUL ip4r blackholes.five-ten-sg.com 127.0.0.3 5
0 #FIVETENOPTIN ip4r blackholes.five-ten-sg.com 127.0.0.4 5
0 #FIVETENOTHER ip4r blackholes.five-ten-sg.com 127.0.0.5 5
0 #FIVETENSRC ip4r blackholes.five-ten-sg.com 127.0.0.2 5
0 #FLOWGO ip4r flowgoaway.com 127.0.0.2 5
0 #GUARDBLOCK ip4r spamguard.leadmon.net 127.0.0.7 3
0 #GUARDBULK ip4r spamguard.leadmon.net 127.0.0.4 3
0 #GUARDDUL ip4r spamguard.leadmon.net 127.0.0.2 3
0 #GUARDMULTI ip4r spamguard.leadmon.net 127.0.0.6 3
0 #GUARDSINGLE ip4r spamguard.leadmon.net 127.0.0.5 3
0 #GUARDSRC ip4r spamguard.leadmon.net 127.0.0.3 3
0 #INTERSIL ip4r blackholes.intersil.net 127.0.0.2 5
0 #IPWHOIS ip4r ipwhois.rfc-ignorant.org 127.0.0.6 3
0 #NJABL ip4r dnsbl.njabl.org 127.0.0.2 5
0 #NJABLDUL ip4r dnsbl.njabl.org 127.0.0.3 5
0 #RBL ip4r blackholes.mail-abuse.org 127.0.0.2 5
0 #RSS ip4r relays.mail-abuse.org 127.0.0.2 5
0 #SELWERD ip4r xbl.selwerd.cx 127.0.0.2 5
0 #SPAMBAG ip4r blacklist.spambag.org 127.0.0.2 5
0 #SPAMTR ip4r rbl.spam.org.tr 127.0.0.2 5
0 #SUMMIT ip4r blackholes.2mbit.com 127.0.0.2 5
0 #V6NET ip4r spammers.v6net.org 127.0.0.2 5
0 #VISI ip4r relays.visi.com 127.0.0.2 5
0
#ZTA ip4r zta.birdsong.org * 5 0
#RBLPLUS ip4r rbl-plus.mail-abuse.org 127.1.0.1
#DULPLUS ip4r rbl-plus.mail-abuse.org 127.1.0.2
#RBLANDDUL ip4r rbl-plus.mail-abuse.org 127.1.0.3
#RSSPLUS ip4r rbl-plus.mail-abuse.org 127.1.0.4
#RBLANDRSS ip4r rbl-plus.mail-abuse.org 127.1.0.5
#DULANDRSS ip4r rbl-plus.mail-abuse.org 127.1.0.6
#MAPSALL ip4r rbl-plus.mail-abuse.org 127.1.0.7
#========================================= OUTBOUND =============================================
# The actions listed below only apply to outgoing E-mail, and only if you have the "Pro" version. Note that the DUL test should NOT # be used to block outgoing mail!
AHBL WARN
BLITZEDALL WARN
CBL WARN
DSBL WARN
ORDB WARN
SBL WARN
SORBS-HTTP WARN
SORBS-SOCKS WARN
SORBS-MISC WARN
SORBS-SMTP WARN
SORBS-SPAM WARN
SORBS-WEB WARN
SORBS-BLOCK WARN
SORBS-ZOMBIE WARN
SORBS-DUHL WARN
SPAMCOP WARN
DSN WARN
NOABUSE WARN
NOPOSTMASTER WARN
BADHEADERS WARN
BASE64 WARN
CMDSPACE WARN
COMMENTS WARN
HELOBOGUS WARN
IPNOTINMX IGNORE
MAILFROM WARN
NOLEGITCONTENT IGNORE
PERCENT HOLD
REVDNS WARN
ROUTING WARN
SPAMHEADERS WARN
#SNIFFER WARN
WEIGHT10 WARN
WEIGHT20 WARN
#BADWHOIS WARN
#BLARS WARN
#BOGONS WARN
#CATCHALLMAILS IGNORE
#COMPU WARN
#DEVNULL WARN
#DORKS WARN
#DORKZTL WARN
#DSBLALL WARN
#DUL WARN
#FIVETENDUL WARN
#FIVETENOPTIN WARN
#FIVETENOTHER WARN
#FIVETENSRC WARN
#FLOWGO WARN
#GUARDBLOCK WARN
#GUARDBULK WARN
#GUARDDUL WARN
#GUARDMULTI WARN
#GUARDSINGLE WARN
#GUARDSRC WARN
#HEUR WARN
#INTERSIL WARN
#IPWHOIS WARN
#NJABL WARN
#NJABLDUL WARN
#NONENGLISH WARN
#RBL WARN
#RSS WARN
#SELWERD WARN
#SPAMBAG WARN
#SPAMTR WARN
#SUMMIT WARN
#V6NET WARN
#VISI WARN
#ZTA WARN
#RBLPLUS WARN
#DULPLUS WARN
#RBLANDDUL WARN
#RSSPLUS WARN
#RBLANDRSS WARN
#DULANDRSS WARN
#MAPSALL WARN
#BCC WARN
#NONENGLISH WARN
#SPAMDOMAINS WARN
#SUBJECTCHARS WARN
#SUBJECTSPACES WARN
I havent' changed much, only commented out a couple tests that were causing me trouble. I can certainly use the IP whitelist trick, thank you. Couple more questions:
Seems like a URL filter would be very easy to implement (assuming of course you nab that first spam message to add it to the list). Is this something you all use, and if so, is there a de facto list I can start with? Perhaps the one that Imail pushes out?
Also, I know there has been some discussion on this list, but if a message has a weight that indicated HOLD and also ROUTETO, does it do both? It looks like it is right now. I have my weights of 10 set to HOLD, and those same messages I'm seeing in the held dir are also showing up in my ROUTETO box. Especially where I plan to delete messages over 20 in the near future, I'd like to figure this part out.
Thanks.
Joey
At 09:17 AM 3/4/2005, you wrote:Joey,
Declude is very effective when tweaked. Not to mention the default global.cfg ships without all of the RBL's that most of us use (XBL, UCE, MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties which are very effective at catching spam like like invURIBL and Message Sniffer.
Both of those applications have trial versions.
Are you still using the default scale? Since you have been working with your global.cfg you might want to post it to the list for us to look over it and see what you have done so far as to make suggestions.
For your clients that you are not in control of I would imagine that you know the ip blocks they come from or the firewall ip that they are behind that. You can whitelist that ip so that them failing the cmdspace will not be a factor. CMDSPACE is very effective but direct connects from clients using outlook will set that off.
For SPAMHEADERS I use "LOOSENSPAMHEADERS ON" this relaxes the spamheaders test so that it does not trigger on missing message ID emails.
Hope that helps,
Darrell
---------------------------------------------------------------------
--- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers.
Joey Proulx writes:Hello,
Just downloaded the demo version of Junkmail Pro, and I was curious about the basic setup. For the last two days I've monitored and tweaked and held and redirected and spent hours upon hours looking over the junkmail setup and rules and whatnot. I'm wondering if I'm reinventing the wheel.
I work for a school district with a big spam problem, but as any of you in gov't know, if I tell them we should buy something I need to make sure it works. I was just wondering if there are any tried and true setups that any of you are using to cut down on the spam. I'm seeing that this system works, but I'm also still running the built-in Imail filter, and I've seen quite a few messages that get caught by Imail, but have a Declude score of 0, that should NOT have made it through. Do you all still run the builtin Imail spam as well? Any filters I should definitely setup?
I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header) from some local clients (I don't control all my clients, so I don't think I can make them authenticate). Should I do away with these tests, or can I fix these two issues on the server side?
Thanks for all your help.
_____________________________
Joey Proulx
SAU #21 Technology Support Staff
2 Alumni Drive
Hampton, NH 03842
(603) 926-8992, ext 115
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
[MSGID=D84470ce50212c186.SMD]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
