|
<ding!> And
the results are in. After grep'ing something like 5000 messages that that
triggered SpamHaus...
The SBL-XBL
results are organized just as Matt predicted:
127.0.0.2 =
SBL
127.0.0.4 =
XBL which is practically CBL
127.0.0.6 =
BOPM aka BLITZEDALL
So the visuals on
the SpamHaus site are misleading. There is no ".5" nor is there a ".3"
that an alternate reading could easily assume. Also, there
is some difference between the SpamHaus query and the original
CBL, but statistically speaking, there is no difference between the
SpamHaus and BLITZEDALL query.
Because SpamHaus
usually returns a query in short order, and you only have to make one query for
3 different dnsbls, I'm sticking with them.
Incidentally, I
also found that for SBL, appending a DYNA, DUL, or DUHL to the name
would fail to catch only 8 out of 2,000 messages, and all 8
scored high enough to be caught anyway; one might spend less resources by
calling SBL a DYNA test and thus not making queries on all the hops in the
message header (as per your JunkMail hop count
configuration).
Sorry, I couldn't
make a similar determination for XBL and BLITZEDALL. Your mileage may
vary!
I'm going to a
configuration similar to the one in my last email (see
below).
Andrew
8)
Andrew,
That's the first I heard about that
zone including the Blitzed tests. Their information is confusing as it
appears on their site. It may be that there is no 127.0.0.5 result and
the dash means that the values lie between 4 and 6 or 2 and 6. I believe
that with just SBL and CBL data, they also listed it as 2-4, meaning 2 or 4
and not 2 through 4. It might be that this means that SBL is 127.0.0.2,
CBL/XBL is 127.0.0.4, and Blitzed is 127.0.0.6. Please let me know the
results of your findings after another day of monitoring and I'll likewise
update my own tests.
Thanks,
Matt
Colbeck, Andrew
wrote:
Good point, Matt.
I think I implemented this before SpamHaus had made some of their
description more explicit, or more likely, I was just obtuse.
My interpretation of their description had led me to believe that the
sbl-xbl.spamhaus.org domain was a "join" on the two dnsbl databases, **
which is wrong **, and I didn't want that anyway, because I wanted to score
the two results differently.
On going back to the website, I find that they have also incorporated
blitzed.opm.org which is also good news, and I'm sure counts in large part
to the success of my XBL-DYNA test; it also means that I was making 3 dnsbl
lookups where one would have sufficed!
To cover the XBL and BLITZED tests, they supply 3 different answers
(127.0.0.4, 127.0.0.5, 127.0.0.6) I haven't seen any documentation on what
information SpamHaus is conveying with these 3 values ... in 3 hours of
testing, I haven't had any hits that returned 127.0.0.5
The reason I was using BLITZEDALL is that a given IP address can appear with
multiple values, with each representing the kind of trojan/zombie for which
it tested positive. But I only wanted to score once per test per IP.
Blah blah blah...
So that I can still score SBL as high as I prefer, and still score XBL
lower, I now have something like this:
SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 12 0
XBL ip4r sbl-xbl.spamhaus.org * 8 0
Each hit will be counted by SBL and XBL, which still achieves SBL scoring
20, and XBL scoring only 8, but is misleading because when you get a hit on
XBL, it might not have been a zombie, but a SBL spammer.
So, that cuts 3 dnsbl lookups down to 1, but with some loss of accuracy in
why an IP is in XBL; that may be over-optimizing for some people.
Andrew 8)
-----Original Message-----
From: Matt [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 12, 2004 11:08 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Combine BASE64 and REVDNS?
Andrew,
You can save an extra lookup by using the combined address:
XBL ip4r sbl-xbl.spamhaus.org 127.0.0.4 8 0
SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 20 0
Declude will only do one lookup per unique address/DNSBL and then apply
the result codes to all associated tests. Both tests can return a hit
for the same IP under this arrangement.
Note that the impact of this one change is fairly minor, but with a lot
of minor changes, I have managed to get another half cup of juice out of
my current server.
Matt
Colbeck, Andrew wrote:
Hey, Kevin.
I do get the usual web page when I go to the CBL homepage you listed. I
see
that the last update was March-30-2004 when they stated that they had
harvested out a lot of their old records.
I stopped using CBL on Jan-05-2004, though, because the SpamHaus XBL is a
superset of CBL, e.g.:
XBL-DYNA ip4r xbl.spamhaus.org * 8 0
XBL-DYNA WARN
Andrew 8)
-----Original Message-----
From: Kevin Bilbee [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 12, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Combine BASE64 and REVDNS?
http://cbl.abuseat.org/lookup.cgi?ip=24.234.0.78
Is CBL still working??? When I try to go to http://cbl.abuseat.org/ it get
a
page can not be displayed message/cannnot find server error message????
Kevin Bilbee
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
