Re: [Declude.JunkMail] osirusoft

[Matthew Bramble]

I'm deep into monitoring false positives, passed spam, and valid near misses.  I'll post some info tonight or tomorrow. One thing that is very clear thus far is that FIVETEN detects a lot of spam that other blacklists don't, however they also have a very high false positive rate which is why I score them so low. Three of the FIVETEN tests marked 15 of 40 pieces of spam that got in under the top score, however it also marked 12 of 17 valid near misses (passed legit stuff) from newsletters and other sorts of automated mailings like opt-in lists and receipts.  It also marked valid yahoo.com accounts which tend to fail several minor technical tests.  Then for my false positives (rejected valid E-mail), it marked 3 of 8 messages. One note about what I am counting as valid here.  There are varying levels of commercial E-mail and I am trying to pass anything opted-into directly or resulting from being a customer of that mailer.  Most of this stuff is of no value, but I don't want to block it if I can help.  SPAMCOP for instance is blocking a fundraising letter from George Bush's campaign that includes the customer's full name, and the NYTimes.com daily update fails FIVETEN-SPAMSUPPORT as well as SPAMHEADERS.  Some companies use outside sources for their mailings and they suffer from not choosing wisely the company they deal with. So with the above results, I definitely would include FIVETEN in any setup, but score them very low in respect to others, hoping that they fail some technical tests to put them over the edge.  The numbers in the summary are from my settings where I fail on a score of 10, and I don't score technical tests very high (though I'm probably going to increase BADHEADERS). Matt Serge wrote: yes, you'd better disable them otherwise, the server will slow down considerably (waiting for replies, timout is 10s for each test) you will also start to get false positives, as osirusoft is blacklisting everybody retry again the archives, you should be able to find a replacement i compiled what was posted here, attached is what i came up with ----- Original Message ----- From: "Dale McDiarmid" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 28, 2003 3:56 PM Subject: [Declude.JunkMail] osirusoft Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. #OSDUL ip4r relays.osirusoft.com 127.0.0.3 5 0 #OSFORM ip4r relays.osirusoft.com 127.0.0.8 6 0 #OSLIST ip4r relays.osirusoft.com 127.0.0.7 5 0 #OSPROXY ip4r relays.osirusoft.com 127.0.0.9 7 0 #OSRELAY ip4r relays.osirusoft.com 127.0.0.2 5 0 #OSSMART ip4r relays.osirusoft.com 127.0.0.5 5 0 #OSSOFT ip4r relays.osirusoft.com 127.0.0.6 5 0 #OSSRC ip4r relays.osirusoft.com 127.0.0.4 10 0 #OSDIPS ip4r relays.osirusoft.com 127.0.0.3 5 0 BLITZEDALL ip4r opm.blitzed.org * 5 0 DSBL ip4r list.dsbl.org * 6 0 EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 5 0 EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 5 0 EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 MONKEYFORMMAIL ip4r formmail.relays.monkeys.com * 7 0 MONKEYPROXIES ip4r proxies.relays.monkeys.com * 7 0 ORDB ip4r relays.ordb.org * 5 0 SPAMHAUS ip4r sbl.spamhaus.org * 3 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 10 0 SBL ip4r sbl.spamhaus.org 127.0.0.2 5 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 3 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 3 0 BADHEADERS badheaders x x 8 0 HELOBOGUS helovalid x x 6 0 MAILFROM envfrom x x 12 0 PERCENT percent x x 9 0 REVDNS revdnsexists x x 3 0 ROUTING spamrouting x x 4 0 SPAMHEADERS spamheaders x x 3 0 SPAMDOMAINS spamdomains E:\imailsrvr\declude\sd.txt x 10 0 BASE64 base64 x x 4 0 IPNOTINMX ipnotinmx x x 0 -3 #*********************************************************************************** FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 3 0 FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 5 0 FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127.0.0.5 3 0 FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 3 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 4 0 FIVETEN-SINGLESTAGE ip4r blackholes.five-ten-sg.com 127.0.0.6 3 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 3 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 5 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 5 0 BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20 0 #************************************************************************************* # This is an automatically maintained list generated by spamtraps whose messages # are then tested by a community maintained script at http://sourceforge.net/projects/sorbs/ # For the all-in info, see the home page at http://www.dnsbl.sorbs.net/ SORBS ip4r dnsbl.sorbs.net * 5 0 #open web proxy servers SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0 #open socks proxy servers SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0 #open proxies that are neither web nor socks SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0 #open smtp relay servers SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0 #hosts that send spam and netblocks of providers that support spammers SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 5 0 #hosts that have spammer abused vulnerabilites, e.g. formmail script SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0 #hosts that demand that they are never to be scanned by SORBS SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 3 0 #hosts that are in a netblock hijacked from someone else SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0 #hosts that are in a dynamic IP range at their ISP #this one gets us in trouble because our HOP settings usually catch the workstation #as it sends to its own ISPs mail server, and we can't differentiate between a server #that sends the mail and the workstation... SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 3 0 #hosts that have badly configured DNS, e.g. private IP addresses or broadcasts SORBS-BADCONF rhsbl dnsbl.sorbs.net 127.0.0.11 3 0 #domains where the correct admin has stated that mailfrom should never be from this domain #eg corp.supernews.com and news.supernews.net SORBS-NOMAIL rhsbl dnsbl.sorbs.net 127.0.0.12 1 0 #*********************************************************************************** FIVETEN-SPAM WARN FIVETEN-BULK WARN FIVETEN-MULTISTAGE WARN FIVETEN-SPAMSUPPORT WARN FIVETEN-MISC WARN FIVETEN-SINGLESTAGE WARN FIVETEN-FREE WARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN BONDEDSENDER WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIE WARN SORBS-DUL WARN SORBS-BADCONF WARN SORBS-NOMAIL WARN