YMMV... I have:
HOP 0 HOPHIGH 2 Because I do want to do checks on the hop before the one sending to my mail server. That was a big selling feature of Declude for me. Some of the tests though are entirely about the client, and result in a false positive every time a normal client that is listed in a subnet (e.g. attbi.com customer) uses their normal mail server to send my server a normal message. Scott has written to the list previously that using "DYNA" (or possibly "DUL" also) in the name of your test will tell Declude.exe to only check that test against the server that is sending you the message (unless that server is covered by an IPBYPASS, in which the test applies to the hop before the sending server!). I am happily using CBL, which I've called CBL-DYNA, at a higher weight than I did previously. The idea being that I only care if the entry is in the CBL database if that IP is trying to send to me directly, e.g. an exploited open proxy. I don't care if that IP sends to someone else before it comes to me. Until the spammers wise up to that, I am content to not have a test that magically mates up a client IP with a rational mail server for it, e.g. an AOL dial-up user with an AOL mail server. Andrew 8) -----Original Message----- From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 1:49 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scanning multiple hops Right now I'm only scanning on the first hop, but I have a few users that have forwarding from other accounts which don't do as well with the filtering because the DNS based tests won't produce hits. I'm wondering what other's experiences are with scanning on multiple hops. How many hops are necessary to pick up the originating IP for the majority of forwarded E-mail? 2, 3 or possibly more? Also, is anyone seeing an increase in FP's from these earlier hops on non DUL-type tests? Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
