Matt would certainly be able to explain it better
than I, but I'll give it a shot.
I can't dig up previous discussions (circa July
2004) on the mail-archive either...
A regular ip4r test will test all all of the IP
address hops (up to the number defiend by HOPCOUNT).
Unless it has
DYNA/DUL/DUHL in the name, in which case it just checks the most recent hop
(also called the first hop).
One thinking at the time was to use a DYNA for the
tests to weight the most recent hop at 80% of the test weight and to use a ALL
to weight all hops at 20%. I use this to reduce false positives.
For example in October,
My SORBS-FORMMAIL-ALL all had 434 results that fell
in my non-spam weights.
The SORBS-FORMMAIL-LAST has 10 that rsults that
fell in my non-spam weights.
So by breaking the tests apart, I'm helping
minimize false positives.
DUL space tests should have DUL/DYNA in their name
to use the previous hop only as should Whitelist tests link Bonded
Sender.
Now the LAST test uses a dnsbl test in place of the
ip4r test.
I believe the advantage here is that in cases where
your domain names (maybe it was IP address...) are being spoofed, the dnsbl
test will run whereas the ip4r test would not be run.
Sample out of my global.cfg:
SORBS-HTTP-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.2 0 0
SORBS-HTTP-ALL ip4r dnsbl.sorbs.net 127.0.0.2 0 0
SORBS-SOCKS-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.3 0 0
SORBS-SOCKS-ALL ip4r dnsbl.sorbs.net 127.0.0.3 0 0
SORBS-MISC-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.4 0 0
SORBS-MISC-ALL ip4r dnsbl.sorbs.net 127.0.0.4 0 0
SORBS-SMTP-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.5 0 0
SORBS-SMTP-ALL ip4r dnsbl.sorbs.net 127.0.0.5 0 0
SORBS-SPAM-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 30 0
SORBS-SPAM-ALL ip4r dnsbl.sorbs.net 127.0.0.6 10 0
SORBS-FORMMAIL-LAST dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.7 0 0
SORBS-FORMMAIL-ALL ip4r dnsbl.sorbs.net 127.0.0.7 0 0
----- Original Message -----
Sent: Tuesday, November 02, 2004 9:10
AM
Subject: RE: [Declude.JunkMail] Earthlink
Porn Spam
Matt,
Thanks -- didn't see that.
Can you post your (ALL) and (LAST) global configs and a
brief explanation of how you're using them?
Thanks
Mark
Mark,
mail-archive.com converted the text attachment to
just a part of the message if you wish to cut and paste it from
there.
http://www.mail-archive.com/declude.junkmail%40declude.com/msg21757.html
Matt
Mark
E. Smith wrote:
Matt,
Can you resend that filter? I checked on the archive
and the attachment isn't there.
Thanks.
Mark
Danny,
It's a special construct that I
use to kludge a way to provide a difference in scoring of last hop DNSBL
hits and prior-hop DNSBL hits. For instance, if you score a test
on the last 3 hops and it hits an open relay type of list on the first
hop, that isn't anywhere nearly as indicative of spam as a last hop open
relay hit.
With Declude, you can kludge it so that you can score
both the last hop only or all hops. If I get a hit for both
SPAMCOP(ALL) and SPAMCOP(LAST), this means that SpamCop hit minimally on
the last hop. If I only get a hit for SPAMCOP(ALL), that means
that the hit was on a prior hop. Yes, this is most definitely very
effective, and I absolutely do wish there was a better way to do this in
Declude by assigning the range of hops to test per entry in your
config. An example of how to configure this with SpamCop would be
as follows:
SPAMCOP(LAST)
dnsbl
%IP4R%.bl.spamcop.net
127.0.0.2 4
0
SPAMCOP(ALL)
ip4r
bl.spamcop.net
127.0.0.2 2
0
This is primarily effective with DNSBL's that track primarily
open relays and not necessary with most static spammer lists although
SBL has been acting like idiots as of late and including random blocks
all the way up to whole class B's on residential class networks which
severely weakens the value of SBL when scored the same on every
hop.
As far as my filter goes, you can remove all of the lines
beginning with the one targeting SNIFFER hits. It will work just
fine without these, but I included them just for good measure as I
expect the spam patterns to change eventually. I do of course
expect to see spammers cracking AUTH with much more frequency, and
Earthlink at least appears to be inept at stopping it since this has
been happening for over 3 months now and growing in
scope.
Matt
Danny K wrote:
Matt,
What does the (ALL) do as in "SPAMCOP(ALL)"?
i360
Support wrote:
I am still getting a ton of porn spam
from Earthlink.
I report it but it does not help
much.
Any suggestions on how to stop this
crap?
Attached is the
filter that I use to kill this stuff. Last I checked, there
were two different spammers that were cracking AUTH to get this
stuff through, and their patterns don't seem to have changed,
although they probably will and/or more will come.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
