Hi Paul: The URL files are in the same place that I referenced earlier..
We have a large number of filters. 1- URL in the body 2- Phone in the body 3- IP's in the body 4- Free emails 5- Free emails with subject= e.g. @hotmail.com?subject= 6- Free emails with remove e.g. @hotmail with remove 7- Blacklists (email blacklist) 8- Blacklist found in the body 9- Blacklist found in header 10- Nigerian scam - keywords 11- Also blacklists in the format of Imail 8 with wildcard which we use with Imail to block emails. 12- Blacklist for Declude.. For example adultmailer-bounces@ 13- REMOTEIP 14- REVDNS Recently added: - body gibbrish filter by Matt We also use ImageFX's blacklist as HOLD so we can add the blacklist entry to our own.. Nobody around here gets any spam.. If we do we talk about it :) Our filters in combination with AutoWhiteList by eServicesforYou catches all emails with barely any false positives. We have set the AutoWhiteList to simply take 20 points off of any email that the user has emailed before. After 2 emails back and forth between people their emails receive -100 points .. Impossible to be caught anymore making the false positives extremely rare.. Except of course news lists which we add them to our mailing list database after the first catch. Regards, Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of paul Sent: Wednesday, September 17, 2003 4:06 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Bah, puny spammer! > Paul, those last 3 tests are our in-house tests that may or may not be > suitable for anyone else. > > The first of the three is an IPFILE test that contains our banned IPs. > We put them here instead of IMail because we like the logging of the > mail-handling decisions to all be in Declude's log. Same here, I have 3 seperate IP lists, IPLIST, mostly cable/DSL IPs, HighIP, usually IPs like markedmail, etc. and KILLIP, 9 out of 10 is a foreign IP. As you say, it's nice to have Declude log them, I did it because it was far easier for me to add IPs to the killip file than going to the server and updating the control access file. > The second is a text FILTER test (only availabe with Declude JunkMail > Pro) that has lots of snippets of spammish body text, including HTML > content tips > posted here (notably Kami, Bill and Matthew) and our own list of > keywords to > hint towards a body weight for spam that had made it through to > mailboxes (e.g. last Christmas' little cars campaigns, and current > mortgage and loan come-ons). The test is called 'hint' because every > filter line is a low weight. Ok, same here. > The third is another text FILTER test, and contains URI specific hints > as well as blacklisted domains (high weights) we see in URLs. I keep > meaning to break this file in to two tests; the URI hints and the > blacklisted domains. I'd be interested in seeing that, if I may, I've got a BODYTEST set so far with urls included, as well as phrases. > The COMMENTS test scored so high because after running for a month > with the > fixed weight option, and Scott's assurance that it only scores bogus > comments and that I'd seen zero false positives, I found that it was > a safe > test, so I switched to the dynamic weight option, and score with a > small base weight, and after that, it's up to the spammer as to how > high the score > will get. Hmm, I haven't yet adjusted my COMMENTS test to add weight, it simply adds a WARN line, or HOLD above a certain limit. > If you're interested in the URI hinting, I'd suggest that you look at Kami's > filter files, which are much cleaner than what I could offer. Kami has been a BIG help to me, I've referenced his files many times. I'd still like to check out those last 2 filters, if you don't mind. If you do, I understand. =) Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
