Re: [Declude.JunkMail] IP4 Tests

[Matthew Bramble]

I fail on a weight of 10, only score the last hop, and use the following 
(see notes below, config updated yesterday for new weights and tests):

   BONDEDSENDER        ip4r    query.bondedsender.org       
   127.0.0.10    -5    0

   AHBL-RELAYS        ip4r    dnsbl.ahbl.org            127.0.0.2    4    0
   AHBL-PROXIES        ip4r    dnsbl.ahbl.org            127.0.0.3   
   4    0
   AHBL-SOURCES        ip4r    dnsbl.ahbl.org            127.0.0.4   
   5    0
   AHBL-PROVISIONAL    ip4r    dnsbl.ahbl.org            127.0.0.5   
   4    0
   AHBL-FORMMAIL        ip4r    dnsbl.ahbl.org            127.0.0.6   
   4    0
   AHBL-DUL        ip4r    dnsbl.ahbl.org            127.0.0.9    2    0
   BLITZEDALL        ip4r    opm.blitzed.org            *        7    0
   BOGUSMX            rhsbl    bogusmx.rfc-ignorant.org    127.0.0.8   
   5    0
   DSBL            ip4r    list.dsbl.org            127.0.0.2    7    0
   DSBLMULTI        ip4r    multihop.dsbl.org        127.0.0.2    5    0
   DSN            rhsbl    dsn.rfc-ignorant.org        127.0.0.2    1    0
   FIVETEN-SPAM        ip4r    blackholes.five-ten-sg.com   
   127.0.0.2    3    0
   FIVETEN-BULK        ip4r    blackholes.five-ten-sg.com   
   127.0.0.4    3    0
   FIVETEN-MULTISTAGE    ip4r    blackholes.five-ten-sg.com   
   127.0.0.5    4    0
   FIVETEN-SPAMSUPPORT    ip4r    blackholes.five-ten-sg.com   
   127.0.0.7    4    0
   FIVETEN-MISC        ip4r    blackholes.five-ten-sg.com   
   127.0.0.9    4    0
   MAILPOLICE-BULK        rhsbl    bulk.rhs.mailpolice.com       
   127.0.0.2    8    0
   MAILPOLICE-PORN        rhsbl    porn.rhs.mailpolice.com       
   127.0.0.2    8    0
   NJABL-DYNABLOCK        ip4r    dynablock.njabl.org       
   127.0.0.3    4    0
   NJABL-RELAYS        ip4r    dnsbl.njabl.org            127.0.0.2   
   4    0
   NJABL-DUL        ip4r    dnsbl.njabl.org            127.0.0.3    2    0
   NJABL-SOURCES        ip4r    dnsbl.njabl.org            127.0.0.4   
   7    0
   NJABL-MULTI        ip4r    dnsbl.njabl.org            127.0.0.5   
   5    0
   NJABL-FORMMAIL        ip4r    dnsbl.njabl.org           
   127.0.0.8    8    0
   NJABL-PROXIES        ip4r    dnsbl.njabl.org            127.0.0.9   
   8    0
   NOABUSE            rhsbl    abuse.rfc-ignorant.org       
   127.0.0.4    1    0
   NOPOSTMASTER        rhsbl    postmaster.rfc-ignorant.org   
   127.0.0.3    1    0
   ORDB            ip4r    relays.ordb.org            *        7    0
   SBBL            ip4r    sbbl.they.com            127.0.0.2    4    0
   SBL            ip4r    sbl.spamhaus.org        127.0.0.2    28    0
   SOLID            ip4r    dnsbl.solid.net            127.0.0.2    5    0
   SORBS-DUL        ip4r    dnsbl.sorbs.net            127.0.0.10    3    0
   SORBS-HTTP        ip4r    dnsbl.sorbs.net            127.0.0.2    6    0
   SORBS-MISC        ip4r    dnsbl.sorbs.net            127.0.0.4    6    0
   SORBS-SOCKS        ip4r    dnsbl.sorbs.net            127.0.0.3   
   6    0
   SORBS-SPAM        ip4r    dnsbl.sorbs.net            127.0.0.6    4    0
   SPAMCOP            ip4r    bl.spamcop.net            127.0.0.2    8    0
   XBL            ip4r    xbl.spamhaus.org        127.0.0.2    8    0

I dropped ABHL-EXEMPT, a whitelist, because it tended to have ISP mail 
servers in it, and I definitely get a noticeable amount of spam from ISP 
mail servers and don't need to be giving them credit unless there is a 
problem.  BONDEDSENDER was dropped to 1/10th of my original weight after 
I learned that they don't really have the best standards for listing 
companies, for instance, a mailing list/group site doesn't have to do 
confirmed memberships which has been a fairly common issue with abuse, 
and spam houses that lead a double life can still have certain IP's 
included as long as those IP's don't spam.  In dropping them from 50 to 
5, I haven't seen any FP's result, and I'm looking to remove them out of 
my configuration as the next change because I don't want to support 
something that is membership based in this sense (members have to pay 
for inclusion and post a small bond).  I highly doubt they let in a 
measurable amount of spam, but I got very concerned when I saw Topica 
listed in both Spamhaus and Bonded Sender, and figured out that Spamhaus 
was correct because Topica leads a double life as a spam house, tpca.net 
for instance:

   http://www.senderbase.org/search?searchString=66.180.244.0%2F25

FIVETEN-SPAM, FIVETEN-BULK and SORBS-SPAM all have very common issues 
with false positives on ad related content and even some mail servers.  
I'm monitoring closely for an opportunity to drop these test scores 
further or even altogether.  Some of these have also cheated by adding 
in all of China to their blacklists.  Essentially, the higher the score, 
the more reliable the test is.  MAILPOLICE and SPAMCOP are at 80% of my 
hold weight, and they are seen as unreliable, however they score a ton 
of traffic and don't tend to FP on stuff that is listed in other 
places.  I would be more comfortable dropping them another point, but am 
still studying that move.

Note that this is only one piece of the puzzle as I get a lot of 
traction out of both Declude's built in tests as well as custom filters.

Matt





Greg Foulks wrote:

I see that the Global config file on Decludes website has an updated 
list of IP4 tests and that the IP4 website also has a long list of IP4 
tests.

My question... what are some of your IP4 tests that you use that you 
find to be very effective?

Thanks,
Greg


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.