RE: [Declude.JunkMail] Tests Used for Deleting?
However, after a few years of tinkering, I did realize that (at least based on messages received by my mix of business clients) *I* was able to use some tests to outright delete 13% of all incoming mail (an additional 50% gets deleted by weight): BLITZEDALL DELETE NJABLPROXIES DELETE AHBLPROXIES DELETE SORBS-HTTP DELETE SORBS-SOCKS DELETE SORBS-MISC DELETE MAILFROM DELETE PERCENT DELETE Not meaning to open any old wounds, Andy, but I thought I'd chime in and share what is working for me, too. I only use a DELETE action as a reaction to something very, very specific. For example, my home-made SoBig.F filter when for a short time, we were receiving a ton of obvious bounces and virus notices from other companies that were getting faked headers with our domain name as the return address. I don't trust any 3rd party to definitively and automatically HOLD a message on its say-so alone, so I certainly wouldn't delete on that same say-so. At the very least, a delete action robs me of a way to check up on the rightness of the test. I balance my hold action with a decision of how long is reasonable to hold before the infromation has expired anyway and how much disk space I'm willing to spend. For me, that's 7 days. I have a little .VBS script that I picked up from the Declude Tools web page (actually points to posts here) that runs every night to delete the expired stuff. Somebody else, I just checked who (Chuck Frolick), contributed a nifty script to rotate the \imail\spool\spam folder so that you had an arbitrary day rotation, with a separate folder for each day. If I wanted to play it close, I might give XBL-DYNA a DELETE weight. Generally, I've been happy with the tests you cited, except for AHBL which I've implemented with a low weight until I have time to pay attention to it specifically. I've seen false positives with the others, including PERCENT, which rather than being an open relay hack was the notation used by a company using Lotus Notes on multiple platforms. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tests Used for Deleting?
Hi Bill, This is of course prudent advice in general. Let me share my experiences (I'm not at all suggesting that this applies to anyone else's scenario). However, after a few years of tinkering, I did realize that (at least based on messages received by my mix of business clients) *I* was able to use some tests to outright delete 13% of all incoming mail (an additional 50% gets deleted by weight): BLITZEDALL DELETE NJABLPROXIES DELETE AHBLPROXIES DELETE SORBS-HTTP DELETE SORBS-SOCKS DELETE SORBS-MISC DELETE MAILFROMDELETE PERCENT DELETE (At first I was using HOLD for these tests but after many months that I never ever had to release a single held email.) Apparently, when someone is ignorant enough running an open proxy (or an infected zombie workstation) on a particular IP there is a very low likelihood that this particular machine is ALSO used as their legitimate SMTP server. When someone uses an invented from domain or tries the percent hack to force email routing - then it is our policy that the email should not be processed. (It's okay to use an unattended from mailbox - but there is never a reason to use bogus domain names, preventing our server from sending notifications or such.) Of course, ideally I would want to hang up on those connections during SMTP protocol - but unfortunately, neither Imail not Declude currently offers that option. (I'm using ORF from VAMSOFT to do exactly that on my backup MX running MS SMTP (IIS), as lots of spam now gets directed against the backup MXs). Best Regards Andy Schmidt Argos Networks 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-9411 x20 (Business) Fax:+1 201 934-9206 http://www.Argos.net/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, January 13, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamD/SpamC for Declude - Original Message - From: Matt [EMAIL PROTECTED] Another idea would be to block SBL with IMail 8 so that stuff never gets to Declude. SBL can be as much as 25% of my traffic, and I weight that in Declude so that it deletes on just that one hit. This could potentially save you a good deal of processing power and be huge for your system. You can still keep track of statistics by using IMail's daily report to show you how many messages got stopped that way and adding them into your Declude results. Deleting messages based on a single test result is very bad advice. No test is 100% accurate, and in my experience they are typically less than 90%. If it works for you, and you and your users don't care about the legitimate messages you are most likely deleting, that's fine. But to make this recommendation to others without the appropriate caviate is irresponsible. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tests Used for Deleting?
- Original Message - From: Andy Schmidt [EMAIL PROTECTED] This is of course prudent advice in general. Let me share my experiences (I'm not at all suggesting that this applies to anyone else's scenario). However, after a few years of tinkering, I did realize that (at least based on messages received by my mix of business clients) *I* was able to use some tests to outright delete 13% of all incoming mail (an additional 50% gets deleted by weight): BLITZEDALL DELETE NJABLPROXIES DELETE AHBLPROXIES DELETE SORBS-HTTP DELETE SORBS-SOCKS DELETE SORBS-MISC DELETE MAILFROM DELETE PERCENT DELETE Other than the PERCENT test, I can produce false-positives from each of the RBL tests listed above for everyday of the week. I guess it depends on your customer base and mail volume, but anyone running spam tests in an ISP environment would be foolish and running great risk of deleting legitimate messages by basing delete decisions on the results of any single RBL test criteria. And I feel that if you have a weight system available to you, why take that risk at all? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.