It looks like you have a good list of tests. You may want to evaluate the scores for some of your tests. We also use Weight 100 and we give Spamcop a Much higher score. In addition the tests we had for oriusoft.com we scored pretty high 35 - 50 so when we added replacements we tried to find something that we could use to generate equal scoring. Have you lowered your oriusoft.com numbers or are they unchanged?
FIVETEN and MAILPOLICE have been good replacements for us and have been catching a lot of our spam with the new config since oriusoft went down.
I would comment out the oriusoft tests - I read somewhere that he was going to blacklist everyone, don't know if he actually did.
FYI You have NJABL listed twice. I belive someone said the SORBS-BADCONF and SORBS-NOMAIL test were ip4r and not rhsbl although I may have misunderstood and you should confirm that.
Todd
At 01:04 PM 9/2/2003 -0400, you wrote:
I have not replaced any of the asirusfot.com tests but have added a few others.
Here is my current configuration
DSBL ip4r list.dsbl.org * 30 0
MONKEYFORMMAIL ip4r formmail.relays.monkeys.com * 30 0
MONKEYPROXIES ip4r proxies.relays.monkeys.com * 30 0
NJABL ip4r dnsbl.njabl.org 127.0.0.2 10 0
VOX ip4r vox.schpider.com 127.0.0.2 30 0
BLITZEDALL ip4r opm.blitzed.org * 20 0
EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 60 0
EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 20 0
IPWHOIS ip4r ipwhois.rfc-ignorant.org 127.0.0.6 5 0
SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 7 0
SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 7 0
SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 7 0
SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 7 0
SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 7 0
SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 7 0
SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 3 0
SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 7 0
SPAMBAG ip4r blacklist.spambag.org 127.0.0.2 10 0
UCEB ip4r blackholes.uceb.org * 20 0
ORDB ip4r relays.ordb.org * 10 0
OSDUL ip4r relays.osirusoft.com 127.0.0.3 5 0
OSFORM ip4r relays.osirusoft.com 127.0.0.8 9 0
OSLIST ip4r relays.osirusoft.com 127.0.0.7 9 0
OSRELAY ip4r relays.osirusoft.com 127.0.0.2 9 0
OSSMART ip4r relays.osirusoft.com 127.0.0.5 9 0
OSSOFT ip4r relays.osirusoft.com 127.0.0.6 9 0
OSSRC ip4r relays.osirusoft.com 127.0.0.4 9 0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 10 0
NJABL ip4r dnsbl.njabl.org 127.0.0.2 10 0
FABELSOURCES ip4r spamsources.fabel.dk 127.0.0.2 10 0
FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 10 0
FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 10 0
FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127..0.0.5 10 0
FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 10 0
FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 10 0
FIVETEN-SINGLESTAGE ip4r blackholes.five-ten-sg.com 127.0.0.6 25 0
FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 10 0
INTERSIL ip4r blackholes.intersil.net 127.0.0.2 10 0
SPAMHAUS ip4r sbl.spamhaus.org 127...0.0.2 55 0
CBL ip4r cbl.abuseat.org 127.0..0.2 45 0
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 4 0
NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0
NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 4 0
SECURITYSAGE rhsbl blackhole.securitysage.com * 20 0
SORBS-BADCONF rhsbl dnsbl.sorbs.net 127.0.0.11 3 0
SORBS-NOMAIL rhsbl dnsbl.sorbs.net 127.0.0.12 1 0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 45 0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 55 0
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Todd Hunter Sent: Tuesday, September 02, 2003 12:15 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] More and more email getting past Declude
Greg,
"I doubt it's a setup issue because I'm using the same setup that I've used for a year now. "
This probably goes without saying but you have removed the osirusoft.com tests and replaced them with something appropriate?
I have email accounts that I monitor that get Huge amounts of spam. We were seeing some spam that would pass the DNS based tests and for that reason we added SpamCheck. Now Nothing get through. And we have fewer FPs.
Todd Hunter Progressive Systems
At 10:16 AM 9/2/2003 -0400, you wrote: >Scott, >I doubt it's a setup issue because I'm using the same setup that I've used >for a year now. Also I am not the only one receiving more spam.. All of my >users are as well... > >Anyway here is a piece of spam recently received (I've already blacklisted >the sender) but it seems as soon as I blacklist a sender a new one is >created. > >Received: from p.advertisingbymail.com [64.119.218.212] by mail.nfti.com > (SMTPD32-6.06) id A91816D01A4; Tue, 02 Sep 2003 08:12:08 -0400 >To: [EMAIL PROTECTED] >Date: Tue, 2 Sep 2003 04:20:23 -0800 >Message-ID: <[EMAIL PROTECTED]> >From: Weight Solution <[EMAIL PROTECTED]> >Return-Path: <[EMAIL PROTECTED]> >Reply-To: <[EMAIL PROTECTED]> >Subject: Lose 10lbs in 1 Week >X-MimeOLE: Prodigy Compatibility V 4.5c810f26 or later >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >X-Declude-Sender: [EMAIL PROTECTED] [64.119.218.212] >X-Declude-Spoolname: D89181a4.SMD >X-Note: This E-mail was scanned by NFTISERV's Declude JunkMail for spam. >X-Spam-Tests-Failed: None >X-Weight: 0 >X-Note: This E-mail was sent from p.advertisingbymail.com >([64.119.218.212]). >X-RCPT-TO: <[EMAIL PROTECTED]> >X-UIDL: 359866453 >Status: U > >Greg > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry >Sent: Tuesday, September 02, 2003 9:53 AM >To: [EMAIL PROTECTED] >Subject: Re: [Declude.JunkMail] More and more email getting past Declude > > > > >Is it just me or have spammers found other ways to get past scanners? I've > >been getting slammed lately with more and more spam that is getting past > >declude without a single hit. > >The two most common reasons for this are [1] A setup issue (a >gateway/backup that Declude doesn't know about, bad DNS server, etc.), or >[2] "quasi-legitimate E-mail" (for example, E-mail that you get after >giving your E-mail address to a company but forgetting to uncheck the box >that says "It's OK to give my E-mail address to your affiliates" or >whatever). > >If you can post the full headers (including Received: headers; no need for >the message body), I can probably provide some pointers for how to improve >spam detection. > > -Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you have been missing: Ask for a free 30-day evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >--------------------------------------------------------------------------- - >-- >[This E-mail was scanned for viruses by Declude Virus Scanner on >mail.nfti.com] > > >--------------------------------------------------------------------------- --- >[This E-mail was scanned for viruses by Declude Virus Scanner on >mail.nfti.com] > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---------------------------------------------------------------------------- -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]
------------------------------------------------------------------------------
[This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
