Re: [Declude.JunkMail] Good Configuration Files? - Here's some ideas

[Matt]

Scott, It turns out that the DYNA trick wasn't the best method.  Declude will skip any IP4R test with DUL/DYNA/DUHL in the name whenever it comes across an E-mail that has a local Mail From domain, which zombie spammers will often forge.  That was a good idea before Declude 1.76 introduced the ability to WHITELIST AUTH with IMail 8.x in the event that you couldn't whitelist your users by IP. The good news is that there is a work around using "dnsbl" tests with variables which allows you to bypass Declude's behavior.  This will definitely improve your hit rate, especially on forging zombie spam coming from DUL IP space.  There was a discussion about this about 3 weeks ago on the list if you are curious about the extended version of the explanation.  Here's my updated config for these things showing public blacklists so that you can see how it's done: # DNSBL Tests MAILPOLICE-HELO/DRES    dnsbl    %HELO%.dynamic.rhs.mailpolice.com    127.0.0.2    2    0 NJABL-HELO/DRES-B    dnsbl    %HELO%.dynablock.njabl.org        127.0.0.3    8    0 # RHSBL Tests (lookup of E-mail domain) MAILPOLICE-BULK        rhsbl    bulk.rhs.mailpolice.com            127.0.0.2    6    0 MAILPOLICE-PORN        rhsbl    porn.rhs.mailpolice.com            127.0.0.2    6    0 MPBL-RHSBL        rhsbl    mpbl.mailpure.org            127.0.0.10    15    0 RFC-BOGUSMX        rhsbl    bogusmx.rfc-ignorant.org        127.0.0.8    1    0 RFC-DSN            rhsbl    dsn.rfc-ignorant.org            127.0.0.2    1    0 RFC-NOABUSE        rhsbl    abuse.rfc-ignorant.org            127.0.0.4    1    0 RFC-NOPOSTMASTER    rhsbl    postmaster.rfc-ignorant.org        127.0.0.3    1    0 SORBS-BADCONF        rhsbl    rhsbl.sorbs.net                127.0.0.11    3    0 # DUL Lists (last hop only) MAILPOLICE-REV/DYN    dnsbl    %REVDNS%.dynamic.rhs.mailpolice.com    127.0.0.2    0    0 DNSRBL-DYN        dnsbl    %IP4R%.dun.dnsrbl.net            127.0.0.3    0    0 NJABL-DYN-A        dnsbl    %IP4R%.dnsbl.njabl.org            127.0.0.3    0    0 NJABL-DYN-B        dnsbl    %IP4R%.dynablock.njabl.org        127.0.0.3    0    0 SORBS-DYN        dnsbl    %IP4R%.dnsbl.sorbs.net            127.0.0.10    0    0 # Relay Lists (staggered scoring per hop) AHBL-PROXIES(LAST)    dnsbl    %IP4R%.dnsbl.ahbl.org            127.0.0.3    3    0 AHBL-PROXIES(ALL)    ip4r    dnsbl.ahbl.org                127.0.0.3    1    0 BLITZEDALL(LAST)    dnsbl    %IP4R%.sbl-xbl.spamhaus.org        127.0.0.6    5    0 BLITZEDALL(ALL)        ip4r    sbl-xbl.spamhaus.org            127.0.0.6    2    0 DSBL(LAST)        dnsbl    %IP4R%.list.dsbl.org            127.0.0.2    5    0 DSBL(ALL)        ip4r    list.dsbl.org                127.0.0.2    2    0 FIVETEN-MISC(LAST)    dnsbl    %IP4R%.blackholes.five-ten-sg.com    127.0.0.9    3    0 FIVETEN-MISC(ALL)    ip4r    blackholes.five-ten-sg.com        127.0.0.9    1    0 FIVETEN-MULTI(LAST)    dnsbl    %IP4R%.blackholes.five-ten-sg.com    127.0.0.5    3    0 FIVETEN-MULTI(ALL)    ip4r    blackholes.five-ten-sg.com        127.0.0.5    1    0 NJABL-RELAYS(LAST)    dnsbl    %IP4R%.dnsbl.njabl.org            127.0.0.2    3    0 NJABL-RELAYS(ALL)    ip4r    dnsbl.njabl.org                127.0.0.2    1    0 ORDB(LAST)        dnsbl    %IP4R%.relays.ordb.org            *        5    0 ORDB(ALL)        ip4r    relays.ordb.org                *        2    0 SORBS-HTTP(LAST)    dnsbl    %IP4R%.dnsbl.sorbs.net            127.0.0.2    4    0 SORBS-HTTP(ALL)        ip4r    dnsbl.sorbs.net                127.0.0.2    2    0 SORBS-MISC(LAST)    dnsbl    %IP4R%.dnsbl.sorbs.net            127.0.0.4    4    0 SORBS-MISC(ALL)        ip4r    dnsbl.sorbs.net                127.0.0.4    2    0 SORBS-SMTP(LAST)    dnsbl    %IP4R%.dnsbl.sorbs.net            127.0.0.5    4    0 SORBS-SMTP(ALL)        ip4r    dnsbl.sorbs.net                127.0.0.5    2    0 SORBS-SOCKS(LAST)    dnsbl    %IP4R%.dnsbl.sorbs.net            127.0.0.3    4    0 SORBS-SOCKS(ALL)    ip4r    dnsbl.sorbs.net                127.0.0.3    2    0 NJABL-PROXIES(LAST)    dnsbl    %IP4R%.dnsbl.njabl.org            127.0.0.9    6    0 NJABL-PROXIES(ALL)    ip4r    dnsbl.njabl.org                127.0.0.9    2    0 NJABL-MULTI(LAST)    dnsbl    %IP4R%.dnsbl.njabl.org            127.0.0.5    3    0 NJABL-MULTI(ALL)    ip4r    dnsbl.njabl.org                127.0.0.5    1    0 # Spam Traps (staggered scoring per hop) SPAMCOP(LAST)        dnsbl    %IP4R%.bl.spamcop.net            127.0.0.2    4    0 SPAMCOP(ALL)        ip4r    bl.spamcop.net                127.0.0.2    2    0 XBL(LAST)        dnsbl    %IP4R%.sbl-xbl.spamhaus.org        127.0.0.4    6    0 XBL(ALL)        ip4r    sbl-xbl.spamhaus.org            127.0.0.4    2    0 # Direct Spam Sources (all hops) AHBL-SOURCES        ip4r    dnsbl.ahbl.org                127.0.0.4    5    0 FIVETEN-BULK        ip4r    blackholes.five-ten-sg.com        127.0.0.4    1    0 FIVETEN-SPAM        ip4r    blackholes.five-ten-sg.com        127.0.0.2    1    0 FIVETEN-SUPPORT        ip4r    blackholes.five-ten-sg.com        127.0.0.7    1    0 NJABL-SOURCES        ip4r    dnsbl.njabl.org                127.0.0.4    7    0 SBL            ip4r    sbl-xbl.spamhaus.org            127.0.0.2    20    0 SORBS-FORMMAIL        ip4r    dnsbl.sorbs.net                127.0.0.7    7    0 SORBS-SPAM        ip4r    dnsbl.sorbs.net                127.0.0.6    1    0 SORBS-ZOMBIE        ip4r    dnsbl.sorbs.net                127.0.0.9    3    0 Scott Fisher wrote: I'll post some filters and here are my favorite tests and why: For reference: I subject tag at 100, hold at 200 and delete at 300. 1. SPAMCOP. Use IP number. It had a very impressive May with me. Caught 150,000 out of 170,000 spams, with only about 25 false hits. I weight at 90% of my tag weight. I also use the dyna/all tests so to help minimize on potential false positives. SPAMCOP-DYNA ip4r bl.spamcop.net 127.0.0.2 60 0 SPAMCOP-ALL ip4r bl.spamcop.net 127.0.0.2 30 0 2. Message Sniffer. Uses entire e-mail to detect spam. I rate Message Sniffer at 90% of my tag weight except for greymail (code 60) that weighs in at 45%. Good numbers here, with occasional false positives. 3. Mailpolice. Works against domain names. Pretty good. I find about 1% false positives, so I'll run my combo filter against a mailpolice-whitelist to remove points. MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 0 0 MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 0 0 I then have a filter that assigns 60% to 72% of my tag weight: MAILPOLICE-COMBO.txt MAXWEIGHT 72 TESTSFAILED 60 CONTAINS MAILPOLICE-BULK TESTSFAILED 60 CONTAINS MAILPOLICE-HELO TESTSFAILED 72 CONTAINS MAILPOLICE-PORN TESTSFAILED 60 CONTAINS MAILPOLICE-REVDNS 4. Spamhaus SBL/XBL. A second IP test. I'll run Dyna/All tests on the CBL and Blitzedall data to minimize false postives. I'll also run some other relay tests so I don't have the XBL stuff weighted over the top. I get about .5% questionable hits on the SBL, and less on the XBL. The XBL is probably my second best test. SPAMHAUS-SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 72 0 XBL-CBL-DYNA ip4r sbl-xbl.spamhaus.org 127.0.0.4 42 0 XBL-CBL-ALL ip4r sbl-xbl.spamhaus.org 127.0.0.4 18 0 XBL-BLITZEDALL-DYNA ip4r sbl-xbl.spamhaus.org 127.0.0.6 42 0 XBL-BLITZEDALL-ALL ip4r sbl-xbl.spamhaus.org 127.0.0.6 18 0 These 4 are my best performing hits, and they tend to rely on different aspects of the e-mail, which makes these tests excellent for some combination punishment filter tests. 5. Punishment tests. Since the above tests can cover different. COMBO-Sniffer-Spamcop.txt (Sniffer-Combo is all results other than 60) TESTSFAILED END NOTCONTAINS SNIFFER-COMBO TESTSFAILED 50 CONTAINS SPAMCOP-DYNA Combo-SBL-Sniffer.txt TESTSFAILED END NOTCONTAINS SNIFFER-COMBO TESTSFAILED 50 CONTAINS SPAMHAUS-SBL Combo-MailPolice-Sniffer.txt TESTSFAILED END CONTAINS MAILPOLICE-WHITELIST TESTSFAILED END NOTCONTAINS SNIFFER-COMBO TESTSFAILED 30 CONTAINS MAILPOLICE-COMBO Combo-Mailpolice-spamcop.txt TESTSFAILED END CONTAINS MAILPOLICE-WHITELIST TESTSFAILED END NOTCONTAINS SPAMCOP-DYNA TESTSFAILED 20 CONTAINS MAILPOLICE-COMBO I also have combo tests for XBL. Mailpure's zombie's test cover these. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/04/04 02:35PM >>> We've seen more and more junk getting through on our servers. No doubt our config files are not up to date. I've downloaded the latest patch with the included config files. My question: does everyone run them "stock" or are there particular configs / settings / etc., that people are implementing to make Declude even more effective than it is out of the box? Is there anywhere to download people's various config's (ie. a page where they are posted and shared) or could someone either post what they think is key or make specific recommendations as to what to tweak? Thanks Chris --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================