I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests).
I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config:
LOGLEVEL LOW HOP 0 CONSOLE OFF LOOSENSPAMHEADERS ON
DSBL ip4r list.dsbl.org * 7 0
ORDB ip4r relays.ordb.org * 7 0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 9 0
EASYNET-DYNA ip4r dynablock.easynet.nl 127.0.0.2 4 0
EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 5 0
EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 7 0
FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 4 0
FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 4 0
FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127.0.0.5 5 0
FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 4 0
FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 7 0
BLITZEDALL ip4r opm.blitzed.org * 7 0
SBL ip4r sbl.spamhaus.org 127.0.0.2 50 0
CBL ip4r cbl.abuseat.org 127.0.0.2 8 0
SBBL ip4r sbbl.they.com * 4 0
SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 6 0 SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 6 0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 6 0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 6 0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 5 0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 9 0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 9 0
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 1 0
NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 1 0
NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -50 0
BADHEADERS badheaders x x 5 0 HELOBOGUS helovalid x x 4 0 MAILFROM envfrom x x 7 0 IPNOTINMX ipnotinmx x x 0 -2 PERCENT percent x x 2 0 #REVDNS revdnsexists x x 0 0 ROUTING spamrouting x x 7 0 SPAMHEADERS spamheaders x x 5 0 NOLEGITCONTENT nolegitcontent x x 0 -1 BASE64 base64 x x 3 0 COMMMENTS comments 5 x 7 0 NONENGLISH nonenglish x x 2 0
BCC-3 bcc 3 x 1 0 BCC-5 bcc 5 x 1 0
SUBSPACE-15 subjectspaces 15 x 1 0 SUBSPACE-25 subjectspaces 25 x 2 0 SUBSPACE-40 subjectspaces 40 x 3 0
Matt
Nick Hayer wrote:
Jonathan,
Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up...
-Nick
#GLOBAL.CFG <edited>
#
#SETTINGS
################################################################################
CONSOLE ON
HOP 0
#HOPHIGH 1
IPBYPASS 127.0.0.1
LOOSENSPAMHEADERS OFF
LOGFILE spool\dec####.log
LOGLEVEL MID
PREWHITELIST ON
WHITELIST AUTH XSENDER ON
XSPOOLNAME ON
#HEADERS
############################################################################
XINHEADER X-Country-Chain: %COUNTRYCHAIN%
XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADER X-Note: Reverse DNS: %REVDNS%.
XINHEADER X-Note: Header code: %HEADERCODE%
XINHEADER X-Note: Queue name: %QUEUENAME%
XOUTHEADER X-Note: Total spam weight of this e-mail is %WEIGHT%.
XOUTHEADER X-Note: Reverse DNS %REVDNS% .
#FROMFILE ################################################################################## BADSENDERS fromfile e:\IMail\Declude\badaddresses.txt x 5 0 KillListGen fromfile e:\IMail\Declude\Destination.txt x 10 0
#IPFILE
##################################################################################
ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 0
#FILTERS
##################################################################################
ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt x 3 0 ANTI-GIBBERISHSUB filter e:\IMail\Declude\filters\Anti-GibberishSub.txt x -4 0
ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt x -11 0 BODYCURSE filter e:\IMail\Declude\filters\bodycurse.txt x 3 0 BODYSEX filter e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY filter e:\imail\declude\filters\country.txt x 6 0
DBL filter e:\IMail\Declude\filters\dbl.txt x 0 0 DNS_TESTS filter e:\IMail\Declude\filters\dns_tests.txt x 0 0
DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt x 3 0
FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt x 3 0 GIBBERISH filter e:\IMail\Declude\filters\Gibberish.txt x 4 0
GIBBERISHSUB filter e:\IMail\Declude\filters\GibberishSub.txt x 4 0 GMA_SENT filter e:\imail\declude\filters\gma.txt x 0 0
MALICIOUS filter e:\IMail\Declude\filters\viri.txt x 6 0
OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt x 7 0
REVDNSCK filter e:\IMail\Declude\filters\revdns.txt x 0 0 SUBJCURSE filter e:\IMail\Declude\filters\subjcurse.txt x 3 0 SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt x 3 0 TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt x 3 0 TLD-ASIAN filter e:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 TLD-CARIBBEAN filter e:\IMail\Declude\Filters\TLD-Caribbean.txt x 3 0 TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmerican.txt x 3 0 TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEuropean.txt x 3 0 TLD-MIDDLEEASTERN filter e:\IMail\Declude\Filters\TLD-MiddleEastern.txt x 3 0 TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt x 3 0 TLD-SOUTHAMERICAN filter e:\IMail\Declude\Filters\TLD-SouthAmerican.txt x 3 0 TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEuropean.txt x 3 0 TLD-TRUSTED-HELO filter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt x 0 0 TLD-TRUSTED-MAILFROM filter e:\IMail\Declude\Filters\TLD-Trusted-MAILFROM.txt x 0 0 TLD-TRUSTED-REVDNS filter e:\IMail\Declude\Filters\TLD-Trusted-REVDNS.txt x 0 0 VIRUSBLK filter e:\IMail\Declude\filters\virusblk.txt x 50 0
WORDFILTER filter e:\IMail\Declude\filters\wordfilter.txt x 3 0
XHEADERS filter e:\IMail\Declude\filters\xheaders.txt x 0 0
Y!DIRECTED filter e:\IMail\Declude\filters\Y!Directed.txt x 11 0
#WHITELISTS
##################################################################################
WHITELIST AUTH WHITELIST HABEAS
WHITELIST REVDNS .amazon.com
WHITELIST REVDNS .ebay.com
WHITELIST REVDNS .expedia.com
#IPR4
#################################################################################
BLACKHOLE-BRAZIL ip4r brazil.blackholes.us 127.0.0.2 3
BLACKHOLE-CHINA ip4r china.blackholes.us 127.0.0.2 3
BLACKHOLE-HONGKONG ip4r hongkong.blackholes.us 127.0.0.2 3
BLACKHOLE-JAPAN ip4r japan.blackholes.us 127.0.0.2 3
BLACKHOLE-KOREA ip4r korea.blackholes.us 127.0.0.2 3
BLACKHOLE-LEVEL3 ip4r level3.blackholes.us 127.0.0.2 3
BLACKHOLE-RR ip4r rr.blackholes.us 127.0.0.2 4
BLACKHOLE-RUSSIA ip4r russia.blackholes.us 127.0.0.2 3
BLACKHOLE-VERIO ip4r verio.blackholes.us 127.0.0.2 3
BLACKHOLE-XO ip4r xo.blackholes.us 127.0.0.2 3
BLITZEDALL ip4r opm.blitzed.org * 7 0
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20 0
CBL ip4r cbl.abuseat.org 127.0.0.2 4 0
DSBL ip4r list.dsbl.org * 5 0
EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 5 0
EASYNET-DYNA ip4r dynablock.easynet.nl 127.0.0.2 4 0
EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 6 0
INTERSIL ip4r blackholes.intersil.net 127.0.0.2 4 0
NJABL ip4r dnsbl.njabl.org 127.0.0.2 5 ORDB ip4r relays.ordb.org * 5 0
SBL ip4r sbl.spamhaus.org 127.0.0.2 7 0
SBBL ip4r sbbl.they.com * 6 0
SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 6 0
SORBS-NOMAIL ip4r dnsbl.sorbs.net 127.0.0.12 5 0
SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0
SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5 0
SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0
SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0
SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0
SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 1 0
SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0
SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 9 0
#RHSBL ################################################################################# DNSFRAUD rhsbl in.dnsbl.org 127.0.0.3 10 0 DNSILLEGAL rhsbl in.dnsbl.org 127.0.0.5 10 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 DNSPROMO rhsbl in.dnsbl.org 127.0.0.4 10 0 EASYNET-DOMAINS rhsbl spamdomains.blackholes.easynet.nl 127.0.0.2 5 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 8 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 10 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0 SORBS-BADCONF rhsbl dnsbl.sorbs.net 127.0.0.11 3 0
#WEIGHT TESTS ################################################################################# WEIGHT10 weight x x 10 0 WEIGHT15 weight x x 15 0 WEIGHT20 weight x x 20 0 WEIGHT24 weight x x 24 0 WEIGHT30 weight x x 30 0 WEIGHT35 weight x x 35 0 SPAM-VHIGH weight x x 26 0
#WEIGHT RANGE TESTS ################################################################################# SPAM-NONE weightrange x x 0 4 0 SPAM-VLOW weightrange x x 5 9 0 SPAM-LOW weightrange x x 10 14 0 SPAM-MID weightrange x x 15 19 0 SPAM-HIGH weightrange x x 20 25 0
#OTHER TESTS ################################################################################# BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 BYPASSWHITELIST bypasswhitelist 35 2 0 0 CATCHALLMAILS catchallmails x x 0 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 6 0 HEUR10 heuristics 10 x 3 0 IPNOTINMX ipnotinmx x x 0 -3 MAILFROM envfrom x x 12 0 NOLEGITCONTENT nolegitcontent x x 0 -5 NON_ENGLISH nonenglish x x 1 0 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 4 0 SNIFFER external nonzero "e:\Sniffer\sniffer2.exe xnk05x5vmipeaof7" 9 0 SPAMCHK external weight "e:\imail\declude\spamchk\spamchk.exe" SPAMDOMAINS spamdomains e:\IMail\Declude\sd.txt x 6 0 SPAMHEADERS spamheaders x x 3 0 SUBJECTCHARS subjectchars 60 x 3 0 SUBJECTSPACES subjectspaces 15 x 3 0 #################################################################################
#OUTGOING ACTIONS
#================================================================================================ #
#DELETE
BADSENDERS DELETE
IPBLACKLIST DELETE
KILLLISTGEN DELETE
WEIGHT35 DELETE
#================================================================================================ #
#HOLD
WEIGHT30 HOLD
#================================================================================================ #
#SUBJECT
Spam-LOW SUBJECT [Possible Spam(low)]-
Spam-MID SUBJECT [Possible Spam(mid)]- Spam-HIGH SUBJECT [Possible Spam(high)]- Spam-VHIGH SUBJECT [Possible Spam(vhigh)]-
#================================================================================================ #
#WARNINGS IP4R
BLACKHOLE-BRAZIL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-CHINA WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-HONGKONG WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-JAPAN WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-KOREA WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-LEVEL3 WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-RR WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-RUSSIA WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-VERIO WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLACKHOLE-XO WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BLITZEDALL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
BONDEDSENDER WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
CBL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
DSB WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
EASYNET-DNSBL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
EASYNET-DYNA WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
EASYNET-PROXIES WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
INTERSIL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
NJABL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
ORDB WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SBL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SBBL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-DUL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-NOMAIL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-HTTP WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-BLOCK WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-MISC WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-SMTP WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-SOCKS WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-SPAM WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-WEB WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-ZOMBIE WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SPAMCOP WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
#================================================================================================ #
#WARNINGS RHSBL
DNSFRAUD WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
DNSILLEGAL WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
DNSPROMO WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
EASYNET-DOMAINS WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
DSN WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
MAILPOLICE-BULK WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
MAILPOLICE-PORN WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
NOABUSE WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
NOPOSTMASTER WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
SORBS-BADCONF WARN X-Warning: [%TESTDOMAIN%] This message may be spam. %WARNING%
#################################################################################
#================================================================================================ # #WARNINGS OTHER XHEADERS WARN X-Note: [%TESTNAME%] %WARNING%
Date sent: Tue, 11 Nov 2003 17:06:27 -0600 To: [EMAIL PROTECTED] From: Jonathan <[EMAIL PROTECTED]> Subject: [Declude.JunkMail] Junkmail Tests and Configs Send reply to: [EMAIL PROTECTED]
In an effort to clean up our junkmail configs, and only use valid tests, we cleaned out our previous tests (old services that were dead etc) and replaced them with the ones currently in the declude help files. Since then, we've been seeing complaints of increased spam/etc. Does anyone have some good configs they'd be willing to share? Good RBLs to use/etc. I'd really appreciate it, it's gettin pretty bad here. :)
Jonathan
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
