Right now we are using:
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 5
0
NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 5
0
NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 5
0
BADHEADERS badheaders x x 8 0
MAILFROM envfrom x x 12 0
PERCENT percent x x 10 0
REVDNS revdnsexists x x 4 0
ROUTING spamrouting x x 5 0
SPAMHEADERS spamheaders x x 5 0
I'd lean towards a 2 or 3 on NOABUSE and NOPOSTMASTER as many people
would not have these configured and even if their host preconfigured it,
they may
delete it if they don't want it.
MAILFROM - maybe 5 ?
REVDNS - 3
BADHEADERS - 3
SPAMHEADERS - 3
leave the ORBS types at 5, with SPAMCOP at 10 and
then set to WARN at 10 with DELETE at 13 or 15.
Any thoughts? Any of these too low? Too high?
Again, I want to block 80-90% of spam without false positives.
The false positives being the bigger problem. And not a problem
with Declude - but a problem with trying to find the right combination.
Chris
At 02:44 PM 2/25/2002, you wrote:
>Chris:
>
>Scott addressed some of the RFC issues but we have found similar problems
>with mail being generated from legitimate mailing lists, cold fusion
>websites, and from FrontPage forms. We have worked around some of the issue
>of false positives by lowering the weights of some of the tests. REVDNS
>failure is so common that we dropped the weight to 3, the same with
>BADHEADERS and SPAMHEADERS and we put our weight test at 10. So with just
>those 3 problems the mail will squeak by with a weight of 10. Other test
>like SPAMCOP (5) and ORDB (4) will trigger issues quicker.
>
>I would like to hear more about what others are doing. We are playing with
>the weights to try to achieve ~90+ percent spam rejection and less than 1%
>false positives. The biggest cause of false positives is legitimate mail
>from open relays - school district and government servers are the worst
>offenders.
>
>Comments please.
>
>Chuck Schick
>Warp 8, Inc.
>www.warp8.com
>303-421-5140
>
>----- Original Message -----
>From: "Christopher Ulrich" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Monday, February 25, 2002 12:03 PM
>Subject: [Declude.JunkMail] Problem with Symantec Act
>
>
>: I have a customer who has not been able to send email through our system.
>He
>: was scoring a "17" on the spam scale. Here's the relevant detail from the
>log:
>:
>: 02/25/2002 13:23:37 Q811f28a BADHEADERS:8 REVDNS:4 SPAMHEADERS:5 . Total
>: weight = 17
>: 02/25/2002 13:23:37 Q811f28a Msg failed BADHEADERS (This E-mail was sent
>: from a broken mail client [c040020e].).
>: 02/25/2002 13:23:37 Q811f28a Msg failed SPAMHEADERS (This E-mail has
>: headers consistent with spam [c040020e].).
>: 02/25/2002 13:23:37 Q811f28a Msg failed WEIGHT10 (Weight of 17 exceeds the
>: limit of 10.).
>: 02/25/2002 13:23:37 Q811f28a Msg failed WEIGHT17 (Weight of 17 exceeds the
>: limit of 17.).
>: 02/25/2002 13:23:37 Q811f28a Subject: test
>: 02/25/2002 13:23:37 Q811f28a Message FAILED: Deleting message!
>:
>: Well, we determined that the person sending messages was using
>: Symantec's ACT program's internal email client, and that it does not meet
>: the criteria set out by Declude.
>:
>: I'm sure they are not the only person using Act.
>:
>: Has anyone seen a way around this? I don't want to raise our threshold to
>: something like "18", as that will let in a flood of SPAM that is currently
>: being blocked.
>: However, ACT (and Maximizer, another CRM system) are widely used and need
>: to work properly.
>:
>: Any thoughts?
>:
>: Thanks
>:
>: Chris
>:
>:
>: ---
>: [This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>:
>: ---
>:
>: This E-mail came from the Declude.JunkMail mailing list. To
>: unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>: type "unsubscribe Declude.JunkMail". You can E-mail
>: [EMAIL PROTECTED] for assistance. You can visit our web
>: site at http://www.declude.com .
>:
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>
>This E-mail came from the Declude.JunkMail mailing list. To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail". You can E-mail
>[EMAIL PROTECTED] for assistance. You can visit our web
>site at http://www.declude.com .
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
