It might also be a good idea to remove my domains from your files :) I
thought my mail client would use the version saved at the time attached
instead of grabbing them when I sent the E-mail...
Matt
Matthew Bramble wrote:
Actually,
you want to apply the weight in the Global.cfg, 7 in this case, and
then all of your positives should be listed as 0 in the filter file and
the Mozilla exception should be scored as a -7. The way it is now, it
will credit 7 points to any message claiming to be Mozilla generated,
and that of course includes a lot of spam. Doing it the way I
suggested only defeats the scoring of the test when Mozilla is found,
but that also means that this test will show up to Declude as failed
despite the lack of scoring. I'm using some other tweaks such as doing
an IS instead of CONTAINS for the FQDN, and listing the addresses with
and without the mail. in front of my domains since my MX records use
the mail. subdomain.
I also modified this into two different files, FORGEDHELO-IP and
FORGEDHELO-FQDN. The reason for this is that FP's are almost
non-existant when the IP is used as the host name, and this allows me
to score it higher. Forged DQDN's are definitely more likely to FP. I
attached a copy of my filters to this message. They are very effective
so far, thanks for the tips. If you don't mind, I would like to
publish these when my site is ready. Note though that this doesn't
include all of the tweaks suggested in this thread, however I may add
them myself.
Matt
# FORGEDHELO-FQDN
# Last Update: 09/23/2003
#
# Description:
# This filter is designed to detect senders that forge the Fully Qualified Domain Name (FQDN) in
# use on the mail server.
#
# Usage:
# Based on a fail weight of 10.
#
# -----Global.cfg-----
# FORGEDHELO-FQDN filter C:\IMail\Declude\ForgedHELO-FQDN.txt x 7 0
#
# False Positives:
# Scoring false positives will primarily come from hardware or software with built-in SMTP
# capabilities for sending automated notifications which are configured either by default
# or by configuration to use the name of the mail host. Mail clients on computers using
# the FQDN of the mail server as their computer name can also produce false positives.
# Counterbalances:
# Negative weighting is applied for Netscape and Mozilla mail clients which use the domain name
# listed in the From address. Counterbalancing is not necessary if all local users are
# configured to use SMTP AUTH, and Declude is configured for WHITELIST AUTH (v1.76+) in
# combinationwith IMail 8+.
#
# Test Exclusions:
# Messages containing the Netscape/Mozilla marker in the headers.
HEADERS -7 CONTAINS mozilla
# Filter Matches:
# Looks for FQDN's configured on the server. Domains should be listed as they appear in E-mail
# addresses as well as how they appear in MX records. Explicit matching (IS) should be used in
# order to prevent false positives.
#
# A good tool for generating a list of domains that you serve is ExtractUsers which is found at
# http://dev.myownemail.com/Imail/ExtractUsers.htm , placed in c:\extractusers\ directory, and
# run from the command line with "c:\extractUsers\extractUsers.exe -f c:\extractusers". This will
# output a file called Domains.txt among other things which can be used to create a list of
# domains for use in this filter.
#HELO 0 IS example.com
#HELO 0 IS mail.example.com
HELO 0 IS alanbyervolvo.com
HELO 0 IS albanynylawyer.com
HELO 0 IS artsleague.org
HELO 0 IS changingspacesgallery.com
HELO 0 IS cjscaramerica.com
HELO 0 IS confirminc.com
HELO 0 IS conversionvans.net
HELO 0 IS coopergroup.com
HELO 0 IS cweaver.com
HELO 0 IS dailygrind.com
HELO 0 IS deejaynet.com
HELO 0 IS doostore.com
HELO 0 IS gmauburnautomall.com
HELO 0 IS hartnettlawoffices.com
HELO 0 IS hhfd.org
HELO 0 IS hlford.com
HELO 0 IS humphreyfam.com
HELO 0 IS igaia.com
HELO 0 IS inglesperformance.com
HELO 0 IS larkstreetcomputers.com
HELO 0 IS mercurios.com
HELO 0 IS merrittseed.com
HELO 0 IS missionmeadows.org
HELO 0 IS murrellfam.com
HELO 0 IS ndimensional.org
HELO 0 IS net-arts.org
HELO 0 IS nyautos.com
HELO 0 IS nycars.com
HELO 0 IS nyeauto.com
HELO 0 IS paolozzi.com
HELO 0 IS peckspages.com
HELO 0 IS plumberboy.com
HELO 0 IS portmojo.com
HELO 0 IS preciseinc.com
HELO 0 IS randycramer.com
HELO 0 IS raritancontainer.com
HELO 0 IS reymore.com
HELO 0 IS salinalibrary.org
HELO 0 IS salisburymotorcar.com
HELO 0 IS saturnwatertown.com
HELO 0 IS skinnerauto.com
HELO 0 IS skinnerdamulis.com
HELO 0 IS skipparsons.com
HELO 0 IS slivinski.com
HELO 0 IS standardweb.com
HELO 0 IS standrewsalbany.org
HELO 0 IS targetcny.com
HELO 0 IS thebrambles.com
HELO 0 IS tripolipi.com
HELO 0 IS mail.alanbyervolvo.com
HELO 0 IS mail.albanynylawyer.com
HELO 0 IS mail.artsleague.org
HELO 0 IS mail.changingspacesgallery.com
HELO 0 IS mail.cjscaramerica.com
HELO 0 IS mail.confirminc.com
HELO 0 IS mail.conversionvans.net
HELO 0 IS mail.coopergroup.com
HELO 0 IS mail.cweaver.com
HELO 0 IS mail.dailygrind.com
HELO 0 IS mail.deejaynet.com
HELO 0 IS mail.doostore.com
HELO 0 IS mail.gmauburnautomall.com
HELO 0 IS mail.hartnettlawoffices.com
HELO 0 IS mail.hhfd.org
HELO 0 IS mail.hlford.com
HELO 0 IS mail.humphreyfam.com
HELO 0 IS mail.igaia.com
HELO 0 IS mail.inglesperformance.com
HELO 0 IS mail.larkstreetcomputers.com
HELO 0 IS mail.mercurios.com
HELO 0 IS mail.merrittseed.com
HELO 0 IS mail.missionmeadows.org
HELO 0 IS mail.murrellfam.com
HELO 0 IS mail.ndimensional.org
HELO 0 IS mail.net-arts.org
HELO 0 IS mail.nyautos.com
HELO 0 IS mail.nycars.com
HELO 0 IS mail.nyeauto.com
HELO 0 IS mail.paolozzi.com
HELO 0 IS mail.peckspages.com
HELO 0 IS mail.plumberboy.com
HELO 0 IS mail.portmojo.com
HELO 0 IS mail.preciseinc.com
HELO 0 IS mail.randycramer.com
HELO 0 IS mail.raritancontainer.com
HELO 0 IS mail.reymore.com
HELO 0 IS mail.salinalibrary.org
HELO 0 IS mail.salisburymotorcar.com
HELO 0 IS mail.saturnwatertown.com
HELO 0 IS mail.skinnerauto.com
HELO 0 IS mail.skinnerdamulis.com
HELO 0 IS mail.skipparsons.com
HELO 0 IS mail.slivinski.com
HELO 0 IS mail.standardweb.com
HELO 0 IS mail.standrewsalbany.org
HELO 0 IS mail.targetcny.com
HELO 0 IS mail.thebrambles.com
HELO 0 IS mail.tripolipi.com
# FORGEDHELO-IP
# Last Update: 09/23/2003
#
# Description:
# This filter is designed to detect senders that forge the receiving mail server's IP in
# the HELO as the name of the sending server. There are no valid reasons to forge a local
# IP, and therefore this test should be scored for automatic rejection.
#
# Usage:
# Based on a fail weight of 10.
#
# -----Global.cfg-----
# FORGEDHELO-IP filter C:\IMail\Declude\ForgedHELO-IP.txt x 15 0
#
# False Positives:
# Intra-network software configured improperly to use the IP as the hostname in HELO. Dimac
# JMail and MIME::Lite have shown this behavior.
# Counterbalances:
# Negative weighting is applied for intra-network devices, software or Web sites that by
# default use or are configured to use an IP in a ranges defined in this filter.
#
# Test Exclusions:
# None by default.
#HELO -15 CONTAINS x.x.x.x
# Filter Matches:
# IP addresses that are configured for use on the mail server. CIDR ranges may not be used
# as this filter is designed to detect text strings and not actual addresses. Class C ranges
# can be specified by leaving off the trailing octet. The reserved localhost address is also
# included.
#HELO 0 CONTAINS x.x.x. (whole Class C)
#HELO 0 CONTAINS x.x.x.x (single addresses)
HELO 0 CONTAINS 127.0.0.1
HELO 0 CONTAINS 208.7.179.
--
===================================================
Matthew S. Bramble
President and Technical Coordinator
iGaia Incorporated, Operator of NYcars.com
---------------------------------------------------
Office Phone: (518) 862-9042
Fax: (518) 862-9044
E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
===================================================
|
