Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

[Bill B.]

Matthew, your MAILPOLICE tests are configured wrong.  Those are rhsbl tests, not ip4r 
tests.  The config lines should read...

MAILPOLICE-BULK  rhsbl  bulk.rhs.mailpolice.com  127.0.0.2  10  0
MAILPOLICE-PORN  rhsbl  porn.rhs.mailpolice.com  127.0.0.2  10  0


Bill


-----Original Message-----
From: Matthew Bramble
Sent: Wed, 20 Aug 2003 21:27:15 -0400
Subject: Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?


I'd also like to share my configuration.  We have about 50 E-mail 
domains with about 250 users, with many addresses listed in who-is 
records and on Web sites, along with "nobody" alias redirection for all 
domains.  This results in a lot of garbage coming our way.  We are 
definitely capturing 95%-97% of all the spam currently and our false 
reject rate is less than 1-3 in 1000, most of which is automated 
delivery messages, with user exceptions being mostly of the variety of 
open relay users or that one person that uses Base64 encoding from a 
poorly configured server.  Unfortunately some addresses get litterally 
hundreds of spams a day, often it's their own fault, but they need more 
relief than I have been giving them.

I don't have the time to constantly monitor rejected mail (about ~15,000 
a week), so we generally kill it at a score of 10 unless we tweak the 
settings, in which case we monitor it as I am doing now.  I think our 
setup even without the Alligate is quite solid after a year of playing 
with it occasionally, but it needs more than RFC and blacklist tests to 
close the gap that's left.  This BONDEDSENDER thing also looks like it 
has promise as I found 19 examples today of E-mail that was saved, 
probably all of it was ad-related, and some I would probably consider 
spam, but not the brutal idiotic stuff that goes to harvested 
addresses.  I'm going to capture those messages for review since I can 
only see the senders now.  Anyway, here's teh beef of my config file:

--8<------------------------
SBL                    ip4r    sbl.spamhaus.org                
127.0.0.2    10    0
OSSOFT                ip4r    relays.osirusoft.com            
127.0.0.6    10    0
SPAMCOP                ip4r    bl.spamcop.net                    
127.0.0.2    10    0
FIVETEN-BULK        ip4r    blackholes.five-ten-sg.com        
127.0.0.4    10    0
MAILPOLICE-BULK        ip4r    bulk.rhs.mailpolice.com            
127.0.0.2    10    0
MAILPOLICE-PORN        ip4r    porn.rhs.mailpolice.com            
127.0.0.2    10    0
OSSRC                ip4r    relays.osirusoft.com            
127.0.0.4    7    0
EASYNET-DNSBL        ip4r    blackholes.easynet.nl            127.0.0.2 
    7    0
EASYNET-PROXIES        ip4r    proxies.blackholes.easynet.nl    
127.0.0.2     7    0
FIVETEN-SPAMSUPPORT    ip4r    blackholes.five-ten-sg.com        
127.0.0.7    7    0
FIVETEN-MISC        ip4r    blackholes.five-ten-sg.com        
127.0.0.9    7    0
BLITZEDALL            ip4r    opm.blitzed.org                    *    
        7    0
DSBL                ip4r    list.dsbl.org                    *        
    5    0
MONKEYPROXIES        ip4r    proxies.relays.monkeys.com        *        
    5    0
OSFORM                ip4r    relays.osirusoft.com            
127.0.0.8    5    0
OSPROXY                ip4r    relays.osirusoft.com            
127.0.0.9    5    0
FIVETEN-SPAM        ip4r    blackholes.five-ten-sg.com        
127.0.0.2    5    0
FIVETEN-MULTISTAGE    ip4r    blackholes.five-ten-sg.com        
127.0.0.5    5    0
FIVETEN-SINGLESTAGE    ip4r    blackholes.five-ten-sg.com        
127.0.0.6    5    0
FIVETEN-FREE        ip4r    blackholes.five-ten-sg.com        
127.0.0.12    5    0
MONKEYFORMMAIL        ip4r    formmail.relays.monkeys.com        *    
        4    0
ORDB                ip4r    relays.ordb.org                    *        
    4    0
OSDUL                ip4r    relays.osirusoft.com            
127.0.0.3    4    0
OSRELAY                ip4r    relays.osirusoft.com            
127.0.0.2    4    0
OSSMART                ip4r    relays.osirusoft.com            
127.0.0.5    4    0
V6NET                ip4r    spammers.v6net.org                
127.0.0.2    4    0
OSLIST                ip4r    relays.osirusoft.com            
127.0.0.7    2    0
DSN                    rhsbl    dsn.rfc-ignorant.org            
127.0.0.2    1    0
NOABUSE                rhsbl    abuse.rfc-ignorant.org            
127.0.0.4    1    0
NOPOSTMASTER        rhsbl    postmaster.rfc-ignorant.org        
127.0.0.3    1    0
BONDEDSENDER        ip4r    query.bondedsender.org            
127.0.0.10    -20    0

MAILFROM            envfrom        x    x    7    0
ROUTING                spamrouting    x    x    7    0
HELOBOGUS            helovalid    x    x    5    0
SPAMHEADERS            spamheaders    x    x    5    0
BADHEADERS            badheaders    x    x    3    0
BASE64                base64        x    x    3    0
PERCENT                percent        x    x    2    0
IPNOTINMX            ipnotinmx    x    x    0    -2

ALLIGATE            external    nonzero    
"C:\IMail\Alligate\NoXMail.exe"    3    0

WEIGHT10    weight        x    x    10    0
-->8------------------------

I believe some of these tests are not catching anything and could be 
removed.  Comments and questions are welcome.

Matt




Keith Johnson wrote:

>Rob,
>    If you don't mind sharing, what config settings do you use for
>Alligate..
>
>Keith
>  
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.