Matthew, your MAILPOLICE tests are configured wrong. Those are rhsbl tests, not ip4r tests. The config lines should read...
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 10 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 10 0 Bill -----Original Message----- From: Matthew Bramble Sent: Wed, 20 Aug 2003 21:27:15 -0400 Subject: Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions? I'd also like to share my configuration. We have about 50 E-mail domains with about 250 users, with many addresses listed in who-is records and on Web sites, along with "nobody" alias redirection for all domains. This results in a lot of garbage coming our way. We are definitely capturing 95%-97% of all the spam currently and our false reject rate is less than 1-3 in 1000, most of which is automated delivery messages, with user exceptions being mostly of the variety of open relay users or that one person that uses Base64 encoding from a poorly configured server. Unfortunately some addresses get litterally hundreds of spams a day, often it's their own fault, but they need more relief than I have been giving them. I don't have the time to constantly monitor rejected mail (about ~15,000 a week), so we generally kill it at a score of 10 unless we tweak the settings, in which case we monitor it as I am doing now. I think our setup even without the Alligate is quite solid after a year of playing with it occasionally, but it needs more than RFC and blacklist tests to close the gap that's left. This BONDEDSENDER thing also looks like it has promise as I found 19 examples today of E-mail that was saved, probably all of it was ad-related, and some I would probably consider spam, but not the brutal idiotic stuff that goes to harvested addresses. I'm going to capture those messages for review since I can only see the senders now. Anyway, here's teh beef of my config file: --8<------------------------ SBL ip4r sbl.spamhaus.org 127.0.0.2 10 0 OSSOFT ip4r relays.osirusoft.com 127.0.0.6 10 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 10 0 FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 10 0 MAILPOLICE-BULK ip4r bulk.rhs.mailpolice.com 127.0.0.2 10 0 MAILPOLICE-PORN ip4r porn.rhs.mailpolice.com 127.0.0.2 10 0 OSSRC ip4r relays.osirusoft.com 127.0.0.4 7 0 EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 7 0 EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 7 0 FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 7 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 7 0 BLITZEDALL ip4r opm.blitzed.org * 7 0 DSBL ip4r list.dsbl.org * 5 0 MONKEYPROXIES ip4r proxies.relays.monkeys.com * 5 0 OSFORM ip4r relays.osirusoft.com 127.0.0.8 5 0 OSPROXY ip4r relays.osirusoft.com 127.0.0.9 5 0 FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 5 0 FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127.0.0.5 5 0 FIVETEN-SINGLESTAGE ip4r blackholes.five-ten-sg.com 127.0.0.6 5 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 5 0 MONKEYFORMMAIL ip4r formmail.relays.monkeys.com * 4 0 ORDB ip4r relays.ordb.org * 4 0 OSDUL ip4r relays.osirusoft.com 127.0.0.3 4 0 OSRELAY ip4r relays.osirusoft.com 127.0.0.2 4 0 OSSMART ip4r relays.osirusoft.com 127.0.0.5 4 0 V6NET ip4r spammers.v6net.org 127.0.0.2 4 0 OSLIST ip4r relays.osirusoft.com 127.0.0.7 2 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 1 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 1 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0 BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20 0 MAILFROM envfrom x x 7 0 ROUTING spamrouting x x 7 0 HELOBOGUS helovalid x x 5 0 SPAMHEADERS spamheaders x x 5 0 BADHEADERS badheaders x x 3 0 BASE64 base64 x x 3 0 PERCENT percent x x 2 0 IPNOTINMX ipnotinmx x x 0 -2 ALLIGATE external nonzero "C:\IMail\Alligate\NoXMail.exe" 3 0 WEIGHT10 weight x x 10 0 -->8------------------------ I believe some of these tests are not catching anything and could be removed. Comments and questions are welcome. Matt Keith Johnson wrote: >Rob, > If you don't mind sharing, what config settings do you use for >Alligate.. > >Keith > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.