Re: [Declude.JunkMail] Combine BASE64 and REVDNS?

[Matt]

Andrew, Thanks for the stats. Regarding last hop checking of SBL (and other static source tests), for servers with multiple domains where messages may be forwarded through another server, scanning on multiple hops does help a great deal.  You are right though that SBL spammers are likely to be direct sources rather than relay sources. Something that you might also want to consider before turning this into a last hop only test is the fact that most spam comes from a single hop anyway.  So if you limit SBL and other static spam source tests to only the last hop, you are only saving those extra hops on probably about 1/3 of your E-mail volume (dependent on how much legit traffic you get since legit traffic is typically two hops).  Out of that 1/3 that is left over, probably about half of those lookups are cached locally on your DNS server from past queries. Matt Colbeck, Andrew wrote: <ding!> And the results are in.  After grep'ing something like 5000 messages that that triggered SpamHaus...   The SBL-XBL results are organized just as Matt predicted:   127.0.0.2 = SBL 127.0.0.4 = XBL which is practically CBL 127.0.0.6 = BOPM aka BLITZEDALL   So the visuals on the SpamHaus site are misleading.  There is no ".5" nor is there a ".3" that an alternate reading could easily assume.  Also, there is some difference between the SpamHaus query and the original CBL, but statistically speaking, there is no difference between the SpamHaus and BLITZEDALL query.   Because SpamHaus usually returns a query in short order, and you only have to make one query for 3 different dnsbls, I'm sticking with them.   Incidentally, I also found that for SBL, appending a DYNA, DUL, or DUHL to the name would fail to catch only 8 out of 2,000 messages, and all 8 scored high enough to be caught anyway; one might spend less resources by calling SBL a DYNA test and thus not making queries on all the hops in the message header (as per your JunkMail hop count configuration).   Sorry, I couldn't make a similar determination for XBL and BLITZEDALL.  Your mileage may vary!   I'm going to a configuration similar to the one in my last email (see below).   Andrew 8) -----Original Message----- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Monday, April 12, 2004 10:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Combine BASE64 and REVDNS? Andrew, That's the first I heard about that zone including the Blitzed tests.  Their information is confusing as it appears on their site.  It may be that there is no 127.0.0.5 result and the dash means that the values lie between 4 and 6 or 2 and 6.  I believe that with just SBL and CBL data, they also listed it as 2-4, meaning 2 or 4 and not 2 through 4.  It might be that this means that SBL is 127.0.0.2, CBL/XBL is 127.0.0.4, and Blitzed is 127.0.0.6.  Please let me know the results of your findings after another day of monitoring and I'll likewise update my own tests. Thanks, Matt Colbeck, Andrew wrote: Good point, Matt. I think I implemented this before SpamHaus had made some of their description more explicit, or more likely, I was just obtuse. My interpretation of their description had led me to believe that the sbl-xbl.spamhaus.org domain was a "join" on the two dnsbl databases, ** which is wrong **, and I didn't want that anyway, because I wanted to score the two results differently. On going back to the website, I find that they have also incorporated blitzed.opm.org which is also good news, and I'm sure counts in large part to the success of my XBL-DYNA test; it also means that I was making 3 dnsbl lookups where one would have sufficed! To cover the XBL and BLITZED tests, they supply 3 different answers (127.0.0.4, 127.0.0.5, 127.0.0.6) I haven't seen any documentation on what information SpamHaus is conveying with these 3 values ... in 3 hours of testing, I haven't had any hits that returned 127.0.0.5 The reason I was using BLITZEDALL is that a given IP address can appear with multiple values, with each representing the kind of trojan/zombie for which it tested positive. But I only wanted to score once per test per IP. Blah blah blah... So that I can still score SBL as high as I prefer, and still score XBL lower, I now have something like this: SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 12 0 XBL ip4r sbl-xbl.spamhaus.org * 8 0 Each hit will be counted by SBL and XBL, which still achieves SBL scoring 20, and XBL scoring only 8, but is misleading because when you get a hit on XBL, it might not have been a zombie, but a SBL spammer. So, that cuts 3 dnsbl lookups down to 1, but with some loss of accuracy in why an IP is in XBL; that may be over-optimizing for some people. Andrew 8) -----Original Message----- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Monday, April 12, 2004 11:08 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Combine BASE64 and REVDNS? Andrew, You can save an extra lookup by using the combined address: XBL ip4r sbl-xbl.spamhaus.org 127.0.0.4 8 0 SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 20 0 Declude will only do one lookup per unique address/DNSBL and then apply the result codes to all associated tests. Both tests can return a hit for the same IP under this arrangement. Note that the impact of this one change is fairly minor, but with a lot of minor changes, I have managed to get another half cup of juice out of my current server. Matt Colbeck, Andrew wrote: Hey, Kevin. I do get the usual web page when I go to the CBL homepage you listed. I see that the last update was March-30-2004 when they stated that they had harvested out a lot of their old records. I stopped using CBL on Jan-05-2004, though, because the SpamHaus XBL is a superset of CBL, e.g.: XBL-DYNA ip4r xbl.spamhaus.org * 8 0 XBL-DYNA WARN Andrew 8) -----Original Message----- From: Kevin Bilbee [mailto:[EMAIL PROTECTED]] Sent: Monday, April 12, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Combine BASE64 and REVDNS? http://cbl.abuseat.org/lookup.cgi?ip=24.234.0.78 Is CBL still working??? When I try to go to http://cbl.abuseat.org/ it get a page can not be displayed message/cannnot find server error message???? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================