|
Scott, I don't think the results that you found are are that bad actually. Just because something is over your hold weight doesn't mean adding more points isn't valuable. I split my held messages into a range of 10-24 and another that is 25+. I've managed to get about 97% to 98% of the spam to score at 25+ where false positives are very, very rare, and therefore I don't bother monitoring this range. The double hits with MailPolice-Porn and Bulk are a good way to really cremate E-mail with points. I unfortunately found out today that dynamic.rhs.mailpolice.com isn't as clean as I would like for it to be. I've came across the following false positive this morning, though of course there may have been more that still passed that I'm not aware of. mta4.rcsntx.swbell.net [151.164.30.28] I have temporarily removed the REVDNS test, and dropped the weight of the HELO test to just 2 points. I think what I am probably going to do here is create my own reverse DNS test. I'll do this by making nominations from my spam capture Hold account and look for things that didn't fail a DUL list. I may make an external test to handle reverse DNS entries as the HELO considering that DNS is limited to just one wildcard representing a full sub-domain and not any partial matches. I score DUL hits very high and can't tolerate problems like the above (I score DUL hits in a single filter as a combo test with one score no matter how many lists a hit appears in). The above false positive tripped both the REVDNS and the HELO tests, and it came in at 21 points which is pretty high for a false positive personal E-mail on my system. Matt Scott Fisher wrote: Looking at yesterday's numbers: About 2200 mails after I added the new MailPolice tests.I had 363 matches on the MailPolice-REVDNS. 362 spam, 1 not spam. The bad news is that all 362 were already over my hold weight. I had 281 matches on the MailPolice-HELO. 281 spam. All 281 MailPolice-HELO's also matched on the MailPolice-REVDNS Out of the 281 matches on the MailPolice-HELO, 24 were also matched on MailPolice-Bulk. Out of the 281 matches on the MailPolice-HELO, 1 was also matched on MailPolice-Porn. Out of the 363 matches on the MailPolice-REVDNS, 27 were also matched on MailPolice-Bulk. Out of the 363 matches on the MailPolice-REVDNS, 2 were also matched on MailPolice-Porn. Scott Fisher Director of IT Farm Progress Companies[EMAIL PROTECTED] 05/13/04 05:34PM >>>Here's a working config for MailPolice's dynamic test (PPP/DSL/cable) that test's both the reverse DNS entry and the HELO entry (zombie spamware often uses the reverse DNS entry for the HELO). MAILPOLICE-DYNA-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 MAILPOLICE-DYNA-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 I have verified that this works. My only concern is what MailPolice considers appropriate for the DSL and Cable entries. Nevertheless, if their list sucks, it shouldn't be that hard to create our own.... It also appears that it may be a good idea to start pumping a zone full of what might have been filtered with custom filters before for both simplicity, and for efficiency. There are also other RHSBL tests out there appropriate for the other technique shown earlier, and there are some interesting ones at MailPolice that could come in handy such as their Web-mail test which in combination with another filter like CMDSPACE, XBL, etc., could come in handy. Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
