Thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Tuesday, October 11, 2005 11:15 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] declude 3.05.5, Invuribl & sniffer > > A couple of quick suggestions: > > You are double-scoring here: > SBL ip4r sbl-xbl.spamhaus.org * 28 0 > SPAMHAUS ip4r sbl.spamhaus.org 127.0.0.2 25 0 > > The XBL wholly incorporates data from three highly-trusted > DNSBL sources: > - the CBL (Composite Block List) from cbl.abuseat.org > - the BOPM (Blitzed Open Proxy Monitor) from opm.blitzed.org > - the NJABL open proxy IPs list from www.njabl.org. > > and > > MAILPOLICE-BLOCK incorporates both of the mailpolice lists > block.rhs.mailpolice.com - consolidated list of bulk-senders, > pornographic, and fraud sites one less DNS call > > > ----- Original Message ----- > From: "Harry Vanderzand" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Tuesday, October 11, 2005 8:58 AM > Subject: [Declude.JunkMail] declude 3.05.5, Invuribl & sniffer > > > >I think I have finally got my server improved to the point > where it is > > running smoothly and spam is getting caught to the level I > have been used > > to. (If not better) > > > > It has been a combination of find the right declude.cfg > settings for my > > hardware (dual xeon 3.4 ...) and also implementing Invuribl > to catch this > > new wave of SPAM that came out at the same time we were all > switching to > > 3.05.5. I set up the trial of invuribl and found it a > worthwhile addition > > so I will be acquiring a licence. > > > > As Invuribl takes care of some of the tests that pre-existed in my > > global.cfg I would not mind seeing a global.cfg file that > has been tuned > > for > > invuribl and sniffer. Sniffer is NOT running in persistent > mode as that I > > cannot get going (everything starts backlogging) > > > > As I know many of you are into this tuning exercise I will > include my > > varies > > setup files, global.cfg followed by invuribl.exe.config and > declude.cfg. > > > > Any tuning assistance will be greatly appreciated. > > > > Thank you > > > > GLOBAL.CFG: > > # > > # Declude JunkMail configuration file > > # > > > > PIDDEBUG OFF > > > > CODE XXXXXXXX > > > > # The "####" in the LOGFILE option gets replaced with the > month/date with > > v1.11 and higher > > > > LOGFILE declude\dec####.log > > LOGLEVEL LOW > > HOP 0 > > #HOPHIGH 1 > > LOG_OK NONE > > # > > # Below are some advanced options > > # > > > > STOPPROCESSINGONFIRSTDELETE ON > > CONSOLE OFF > > HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT > > XSENDER ON > > XSPOOLNAME ON > > > > XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. > > XINHEADER X-Note: Spam Tests Failed: %TESTSFAILEDWITHWEIGHTS% > > XINHEADER X-Note: REMOTEIP: %REMOTEIP% > > XINHEADER X-Note: REVDNS: %REVDNS% > > XINHEADER X-Note: FROM: %MAILFROM% > > XINHEADER X-Note: TO: %RECIPHOST% > > > > > > XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] > > XOUTHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] > > #XINHEADER X-Country-Chain: %COUNTRYCHAIN% > > #XOUTHEADER X-Note: This E-mail was scanned by Declude JunkMail > > (www.declude.com) for spam. > > #IPBYPASS 127.0.0.1 > > #XOUTHEADER Organization: inTown Internet > > #WHITELIST HABEAS > > > > WHITELIST AUTH > > > > > > > > # > > # Definitions of the tests to use (do not edit unless you > know what you > > are > > doing). > > # These must come before the actions. > > # > > # First is the name of the check, then the type of check > (ip4r is a DNS > > lookup using > > # the reverse of the IP address). > > # > > # For type ip4r, 'matchstring' is the string to look for, or "*" for > > anything. > > # > > > > SPFFAIL spffail x x 3 0 > > > > AHBL ip4r dnsbl.ahbl.org * 5 > > 0 > > > > DSBL ip4r list.dsbl.org * 8 > > 0 > > ORDB ip4r relays.ordb.org * 5 > > 0 > > SBL ip4r sbl-xbl.spamhaus.org * 28 > > 0 > > > > SBBL ip4r sbbl.they.com 127.0.0.2 4 0 > > > > SOLID ip4r dnsbl.solid.net > 127.0.0.2 5 0 > > > > EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 7 > > 0 > > SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 8 > > 0 > > SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 8 > > 0 > > SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 8 > > 0 > > SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 7 > > 0 > > SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 7 > > 0 > > SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 7 > > 0 > > SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 7 > > 0 > > SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 7 > > 0 > > SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 3 > > 0 > > BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20 > > 0 > > > > > > BOGUSMX rhsbl bogusmx.rfc-ignorant.org 127.0.0.8 5 0 > > DSBLMULTI ip4r multihop.dsbl.org 127.0.0.2 4 0 > > > > NJABL-DYNABLOCK ip4r dynablock.njabl.org 127.0.0.3 8 > > 0 > > NJABL-RELAYS ip4r dnsbl.njabl.org 127.0.0.2 7 > > 0 > > NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 5 > > 0N > > NJABL-MULTI ip4r dnsbl.njabl.org 127.0.0.5 7 > > 0 > > > > > > SPAMCOP ip4r bl.spamcop.net 127.0.0.2 25 > > 0 > > EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 25 > > 0 > > SPAMHAUS ip4r sbl.spamhaus.org 127.0.0.2 25 > > 0 > > > > FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 > > 5 0 > > FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 > > 3 0 > > FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127.0.0.5 > > 3 0 > > FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 > > 3 0 > > FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 > > 3 0 > > > > MXRATE-BLOCK ip4r pub.mxrate.net > > 127.0.0.2 3 0 > > UCEPROTECT-LEVEL1 ip4r dnsbl-1.uceprotect.net * > > 3 0 > > UCEPROTECT-LEVEL2- ip4r dnsbl-2.uceprotect.net * > > 3 0 > > WHOIS-BOGONS-DYNA ip4r combined-HIB.dnsiplists.completewhois.com > > 127.0.0.2 3 0 > > WHOIS-HIJACKED-DYNA ip4r combined-HIB.dnsiplists.completewhois.com > > 127.0.0.3 3 0 > > WHOIS-INVALID-DYNA ip4r combined-HIB.dnsiplists.completewhois.com > > 127.0.0.4 3 0 > > > > #endnew > > > > DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 5 > > 0 > > NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 > > 0 > > NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 > > 0 > > > > > > MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 12 > > 0 > > MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 12 > > 0 > > DNSFRAUD rhsbl in.dnsbl.org 127.0.0.3 10 > > 0 > > DNSILLEGAL rhsbl in.dnsbl.org 127.0.0.5 10 > > 0 > > DNSPROMO rhsbl in.dnsbl.org 127.0.0.4 10 > > 0 > > > > DYNHELO dynhelo x x 5 0 > > BADHEADERS badheaders x x 6 0 > > BASE64 base64 x x 5 0 > > CMDSPACE cmdspace x x 5 0 > > COMMENTS comments x x 6 0 > > HELOBOGUS helovalid x x 3 0 > > MAILFROM envfrom x x 10 0 > > #IPNOTINMX ipnotinmx x x 0 -1 > > PERCENT percent x x 11 0 > > REVDNS revdnsexists x x 5 0 > > ROUTING spamrouting x x 6 0 > > SPAMHEADERS spamheaders x x 6 0 > > > > > > SNIFFER external nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe > > dky4t444qqpk69j6" 41 0 > > INV-URIBL external weight "D:\imail\invuribl\invuribl.exe %WEIGHT% > > %REMOTEIP%" 0 0 > > > > FILTER-SUBJECT filter d:\IMail\Declude\FILTER-SUBJECT.txt x > > 0 0 > > > > BLACK fromfile d:\IMail\Declude\BLACKLIST.TXT x 20 > > 0 > > > > # MYFILTER filter d:\IMail\Declude\myfilter.txt x > > 20 0 > > > > # SURBL filter d:\IMail\Declude\surbl\surbl.txt x > > 1 0 > > > > # IMFILTER filter d:\IMail\Declude\imfilter.txt x > > 0 0 > > > > WEIGHT10 weight x x 10 10 > > WEIGHT11 weight x x 11 11 > > WEIGHT12 weight x x 12 14 > > WEIGHT15 weight x x 15 18 > > WEIGHT19 weight x x 19 49 > > WEIGHT50 weight x x 50 0 > > CATCHALLMAILS catchallmails x x 0 0 > > > > INVURIBL: > > > > <?xml version="1.0" encoding="utf-8" ?> > > <configuration> > > <appSettings> > > <!--For support email [EMAIL PROTECTED] --> > > > > <!--License Key Required For invURIBL To Run--> > > <add key="License_Key" value="XXXXXXXXXXXXX" /> > > > > <!--Enables the use of an exception file for domains that should be > > skipped--> > > <add key="Enable Exceptions File" value="true" /> > > > > <!--Path and Filename of the log file. If left blank > the log file will > > be generated in--> > > <!--the same directory as the executable. If you have > #### listed in > > the file--> > > <!--name it will be replaced with MMDD (Month and Day).--> > > <add key="LogFile_Path" value="uribl-logfile####.txt" /> > > > > <!-- Options: NORMAL, HIGH, VERBOSE, NONE--> > > <add key="Log_Mode" value="normal" /> > > > > <!-- If the passed in weight exceeds this value, > invURIBL will exit > > without --> > > <!-- running any of the configured tests --> > > <add key="SKIPWEIGHT" value="20" /> > > > > <!-- If the accumulated weight exceeds the value listed > below invURIBL > > will --> > > <!-- return the MAXWEIGHT value --> > > <add key="Enable_Max_Weight" value="true" /> > > <add key="MAXWEIGHT" value="20" /> > > > > <!-- If the accumulated weight is greater than zero and > is less than > > the > > MINWEIGHT the MINWEIGHT value listed below will --> > > <!-- be returned. Zero disables the MINWEIGHT Function --> > > <add key="MINWEIGHT" value="10" /> > > > > <!-- invURIBL will exit when the first domain in either > the URI or RBL > > list. --> > > <!-- If the domain is listed in the URI list the > associated RBL lists > > will be checked --> > > <!-- as well before the application will exit --> > > <add key="Stop_At_First_Match" value="false" /> > > > > <!-- Limit the number of URI Links checked. Setting > this value to a > > lower value will help performance --> > > <!-- invURIBL will not count any of the links that are set as an > > exception. --> > > <add key="Max_URI_Links" value="20" /> > > > > <!--DNS_Server - The DNS Server that you want invURIBL > to use for all > > of > > its DNS based lookups--> > > <add key="DNS_Server" value="216.16.233.10" /> > > > > <!--DNS Server Timeout: Number of seconds that invURIBL > will wait for a > > response from the DNS Server (Beta 5)--> > > <add key="DNS_Server_Timeout" value="1" /> > > > > <!--Max_Message_Size: If message size exceeds the amount > specified > > below > > invURIBL will not process the message--> > > <!--The value below is specified in Kbytes. 1000 = 1MB, > A value of zero > > disables this feature--> > > <add key="Max_Message_Size" value="300" /> > > > > <!-- Program_Timeout: If the program runs for longer > than the time > > specified below (in seconds) invURIBL --> > > <!-- Will Attempt to exit at the first available spot > and return the > > current weight --> > > <add key="Program_Timeout" value="20" /> > > > > <!-- This is the URI Blacklist That The URI Will Be > Checked Against --> > > <add key="URIBL_List1" value="multi.surbl.org" /> > > > > <!-- Weight added to the result code or custom bitmask total. --> > > <add key="URIBL_Weight_List1" value="3" /> > > > > <!--Allows you to override the normal values for > bitmasks for a custom > > return weight--> > > <add key="Enable_Custom_Bitmask_Values_URIBL_List1" > value="true" /> > > > > <!--If using multi.surbl.org see > http://www.surbl.org/lists.html#multi > > for which lists correspond --> > > <!--to which bitmask values --> > > <!-- BitValue_2 = comes from sc.surbl.org --> > > <!-- BitValue_4 = comes from ws.surbl.org --> > > <!-- BitValue_8 = comes from phishing data source > (labelled as [ph] in > > multi) --> > > <!-- BitValue_16 = comes from ob.surbl.org --> > > <!-- BitValue_32 = comes from ab.surbl.org --> > > <!-- BitValue_64 = comes from jp data source (labelled > as [jp] in > > multi) > > --> > > <add key="URI_Bitmask_BitValue_1_Weight_URIBL_List1" value="0" /> > > <add key="URI_Bitmask_BitValue_2_Weight_URIBL_List1" value="7" /> > > <add key="URI_Bitmask_BitValue_4_Weight_URIBL_List1" value="2" /> > > <add key="URI_Bitmask_BitValue_8_Weight_URIBL_List1" value="5" /> > > <add key="URI_Bitmask_BitValue_16_Weight_URIBL_List1" > value="3" /> > > <add key="URI_Bitmask_BitValue_32_Weight_URIBL_List1" > value="7" /> > > <add key="URI_Bitmask_BitValue_64_Weight_URIBL_List1" > value="10" /> > > <add key="URI_Bitmask_BitValue_128_Weight_URIBL_List1" > value="0" /> > > > > <!--URI LIST 2--> > > <add key="URIBL_List2" value="multi.uribl.com" /> > > <add key="URIBL_Weight_List2" value="0" /> > > <!-- BitValue_2 = comes from black.uribl.org --> > > <!-- BitValue_4 = comes from grey.uribl.org --> > > <!-- BitValue_8 = comes from red.uribl.org --> > > <add key="Enable_Custom_Bitmask_Values_URIBL_List2" > value="true" /> > > <add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" /> > > <add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="7" /> > > <add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" /> > > <add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="2" /> > > <add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" > value="0" /> > > <add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" > value="0" /> > > <add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" > value="0" /> > > <add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" > value="0" /> > > > > <!--Enables the checking of the URI's name servers > against an RBL. --> > > <!--If the name servers are listed in the RBL the > defined weight will > > --> > > <!--be added. You also have an option to skip looking up the > > nameservers --> > > <!--if the URI is already listed in one of the URI lists--> > > <!--Max_Name_servers_To_Check - Sets the number of name > servers to > > check. If set to zero --> > > <!--all name servers returned from the DNS query will be > checked--> > > <add key="Enable_URI_Name_Server_Check" value="true" /> > > <add key="Skip_Check_If_URI_Listed_In_URI_List" value="false" /> > > <add key="Name_Server_RBL" value="sbl.spamhaus.org" /> > > <add key="Name_Server_Weight" value="5" /> > > <add key="Max_Name_Servers_To_Check" value="3" /> > > > > <!-- If enabled URI's will be resolved to their "A" Records.--> > > <add key="ENABLE_URI_IP_LOOKUPS_IN_RBLS" value="true" /> > > > > <!--RBLx Specifies a RBL to lookup the resolved URI's "A" Record > > Against > > --> > > <!--WEIGHT_RBLx Specifies the weight that will be added if the IP > > Address is listed --> > > <!--Bitmask_Skip_Options_RBLx - Bitmask value that > allows you to skip > > the associated RBL check if the URI --> > > <!--is listed in the URI list or in the name server > list. Values: 0 - > > no > > skipping will occur. 1 - Skip RBL --> > > <!--check if URI was listed in a URI list. 2 - Skip RBL > Check if URI's > > name servers were listed in the name --> > > <!--server RBL check. 3 - Skip the RBL check if either > the URI is > > listed in the URI list OR if the URI's name server --> > > <!--was listed in the name server RBL. (Bitmask Skip RC 1)--> > > <add key="RBL1" value="sbl.spamhaus.org" /> > > <add key="Bitmask_Skip_Options_RBL1" value="2" /> > > <add key="WEIGHT_RBL1" value="5" /> > > > > <add key="RBL2" value="cn.countries.nerd.dk" /> > > <add key="Bitmask_Skip_Options_RBL2" value="0" /> > > <add key="WEIGHT_RBL2" value="3" /> > > > > <add key="RBL3" value="kr.countries.nerd.dk" /> > > <add key="Bitmask_Skip_Options_RBL3" value="0" /> > > <add key="WEIGHT_RBL3" value="3" /> > > > > <add key="RBL4" value="ru.countries.nerd.dk" /> > > <add key="Bitmask_Skip_Options_RBL4" value="0" /> > > <add key="WEIGHT_RBL4" value="3" /> > > > > <!--Enables the checking of the resolved URI's IP address against > > Senderbase --> > > <!--If the IP addresses daily magnitude exceeds the > monthly magnitude > > by > > the defined threshold --> > > <!--the defined weight will be added (Beta 4)--> > > <add key="Enable_URI_Senderbase_Magnitude_Check" value="false" /> > > <add key="URI_Senderbase_Magnitude_Threshold" value="50" /> > > <add key="URI_Senderbase_Magnitude_Weight" value="0" /> > > > > <!--Enables the checking of the remote mail servers IP > address against > > Senderbase --> > > <!--If the remote mail servers IP addresses daily > magnitude exceeds the > > monthly magnitude --> > > <!-- by the defined threshold the defined weight will be > added (Beta > > 4)--> > > <add key="Enable_RemoteMailServer_Senderbase_Magnitude_Check" > > value="false" /> > > <add > key="RemoteMailServer_Senderbase_Magnitude_Threshold" value="50" > > /> > > <add key="RemoteMailServer_Senderbase_Magnitude_Weight" > value="0" /> > > > > </appSettings> > > </configuration> > > > > DECLUDE.CFG > > > > threads 20 > > waitformail 500 > > waitforthreads 1500 > > waitbetweenthreads 100 > > concatetelogsthreshold 10 > > concatetelogs > > > > > > Harry Vanderzand > > inTown Internet & Computer Services > > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > > 519-741-1222 > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.