I remember the discussion. I did some testing on the LAST for a week or so and I really didn't see much difference. That said, I'm not adverse to trying it again. Maybe I look into it again.
Looking at your config, I do notice that the Dial Up tests are done in a last hop. That's a good idea that I'll probably change this weeked. I also run through the Fabel RBL as it is advertised as Latin American and Asian. It gets about 5% rate, with the DYNA variant almost always spam. Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/04/04 04:39PM >>> Scott, It turns out that the DYNA trick wasn't the best method. Declude will skip any IP4R test with DUL/DYNA/DUHL in the name whenever it comes across an E-mail that has a local Mail From domain, which zombie spammers will often forge. That was a good idea before Declude 1.76 introduced the ability to WHITELIST AUTH with IMail 8.x in the event that you couldn't whitelist your users by IP. The good news is that there is a work around using "dnsbl" tests with variables which allows you to bypass Declude's behavior. This will definitely improve your hit rate, especially on forging zombie spam coming from DUL IP space. There was a discussion about this about 3 weeks ago on the list if you are curious about the extended version of the explanation. Here's my updated config for these things showing public blacklists so that you can see how it's done: # DNSBL Tests MAILPOLICE-HELO/DRES dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 2 0 NJABL-HELO/DRES-B dnsbl %HELO%.dynablock.njabl.org 127.0.0.3 8 0 # RHSBL Tests (lookup of E-mail domain) MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 6 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 6 0 MPBL-RHSBL rhsbl mpbl.mailpure.org 127.0.0.10 15 0 RFC-BOGUSMX rhsbl bogusmx.rfc-ignorant.org 127.0.0.8 1 0 RFC-DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 1 0 RFC-NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 1 0 RFC-NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0 SORBS-BADCONF rhsbl rhsbl.sorbs.net 127.0.0.11 3 0 # DUL Lists (last hop only) MAILPOLICE-REV/DYN dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 DNSRBL-DYN dnsbl %IP4R%.dun.dnsrbl.net 127.0.0.3 0 0 NJABL-DYN-A dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 0 0 NJABL-DYN-B dnsbl %IP4R%.dynablock.njabl.org 127.0.0.3 0 0 SORBS-DYN dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.10 0 0 # Relay Lists (staggered scoring per hop) AHBL-PROXIES(LAST) dnsbl %IP4R%.dnsbl.ahbl.org 127.0.0.3 3 0 AHBL-PROXIES(ALL) ip4r dnsbl.ahbl.org 127.0.0.3 1 0 BLITZEDALL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.6 5 0 BLITZEDALL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.6 2 0 DSBL(LAST) dnsbl %IP4R%.list.dsbl.org 127.0.0.2 5 0 DSBL(ALL) ip4r list.dsbl.org 127.0.0.2 2 0 FIVETEN-MISC(LAST) dnsbl %IP4R%.blackholes.five-ten-sg.com 127.0.0.9 3 0 FIVETEN-MISC(ALL) ip4r blackholes.five-ten-sg.com 127.0.0.9 1 0 FIVETEN-MULTI(LAST) dnsbl %IP4R%.blackholes.five-ten-sg.com 127.0.0.5 3 0 FIVETEN-MULTI(ALL) ip4r blackholes.five-ten-sg.com 127.0.0.5 1 0 NJABL-RELAYS(LAST) dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.2 3 0 NJABL-RELAYS(ALL) ip4r dnsbl.njabl.org 127.0.0.2 1 0 ORDB(LAST) dnsbl %IP4R%.relays.ordb.org * 5 0 ORDB(ALL) ip4r relays.ordb.org * 2 0 SORBS-HTTP(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.2 4 0 SORBS-HTTP(ALL) ip4r dnsbl.sorbs.net 127.0.0.2 2 0 SORBS-MISC(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.4 4 0 SORBS-MISC(ALL) ip4r dnsbl.sorbs.net 127.0.0.4 2 0 SORBS-SMTP(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.5 4 0 SORBS-SMTP(ALL) ip4r dnsbl.sorbs.net 127.0.0.5 2 0 SORBS-SOCKS(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.3 4 0 SORBS-SOCKS(ALL) ip4r dnsbl.sorbs.net 127.0.0.3 2 0 NJABL-PROXIES(LAST) dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.9 6 0 NJABL-PROXIES(ALL) ip4r dnsbl.njabl.org 127.0.0.9 2 0 NJABL-MULTI(LAST) dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.5 3 0 NJABL-MULTI(ALL) ip4r dnsbl.njabl.org 127.0.0.5 1 0 # Spam Traps (staggered scoring per hop) SPAMCOP(LAST) dnsbl %IP4R%.bl.spamcop.net 127.0.0.2 4 0 SPAMCOP(ALL) ip4r bl.spamcop.net 127.0.0.2 2 0 XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0 # Direct Spam Sources (all hops) AHBL-SOURCES ip4r dnsbl.ahbl.org 127.0.0.4 5 0 FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4 1 0 FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2 1 0 FIVETEN-SUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7 1 0 NJABL-SOURCES ip4r dnsbl.njabl.org 127.0.0.4 7 0 SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 20 0 SORBS-FORMMAIL ip4r dnsbl.sorbs.net 127.0.0.7 7 0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 1 0 SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 3 0 Scott Fisher wrote: >I'll post some filters and here are my favorite tests and why: > >For reference: I subject tag at 100, hold at 200 and delete at 300. > >1. SPAMCOP. Use IP number. It had a very impressive May with me. Caught 150,000 out >of 170,000 spams, with only about 25 false hits. I weight at 90% of my tag weight. I >also use the dyna/all tests so to help minimize on potential false positives. > >SPAMCOP-DYNA ip4r bl.spamcop.net 127.0.0.2 60 0 >SPAMCOP-ALL ip4r bl.spamcop.net 127.0.0.2 30 0 > >2. Message Sniffer. Uses entire e-mail to detect spam. > >I rate Message Sniffer at 90% of my tag weight except for greymail (code 60) that >weighs in at 45%. Good numbers here, with occasional false positives. > >3. Mailpolice. Works against domain names. Pretty good. I find about 1% false >positives, so I'll run my combo filter against a mailpolice-whitelist to remove >points. > >MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 0 > 0 >MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 > 0 >MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 >MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 0 > 0 > >I then have a filter that assigns 60% to 72% of my tag weight: > >MAILPOLICE-COMBO.txt >MAXWEIGHT 72 >TESTSFAILED 60 CONTAINS MAILPOLICE-BULK >TESTSFAILED 60 CONTAINS MAILPOLICE-HELO >TESTSFAILED 72 CONTAINS MAILPOLICE-PORN >TESTSFAILED 60 CONTAINS MAILPOLICE-REVDNS > >4. Spamhaus SBL/XBL. A second IP test. I'll run Dyna/All tests on the CBL and >Blitzedall data to minimize false postives. I'll also run some other relay tests so I >don't have the XBL stuff weighted over the top. I get about .5% questionable hits on >the SBL, and less on the XBL. The XBL is probably my second best test. > >SPAMHAUS-SBL ip4r sbl-xbl.spamhaus.org 127.0.0.2 72 0 >XBL-CBL-DYNA ip4r sbl-xbl.spamhaus.org 127.0.0.4 42 0 >XBL-CBL-ALL ip4r sbl-xbl.spamhaus.org 127.0.0.4 18 0 >XBL-BLITZEDALL-DYNA ip4r sbl-xbl.spamhaus.org 127.0.0.6 42 0 >XBL-BLITZEDALL-ALL ip4r sbl-xbl.spamhaus.org 127.0.0.6 18 > 0 > >These 4 are my best performing hits, and they tend to rely on different aspects of >the e-mail, which makes these tests excellent for some combination punishment filter >tests. > >5. Punishment tests. Since the above tests can cover different. >COMBO-Sniffer-Spamcop.txt (Sniffer-Combo is all results other than 60) >TESTSFAILED END NOTCONTAINS SNIFFER-COMBO >TESTSFAILED 50 CONTAINS SPAMCOP-DYNA > >Combo-SBL-Sniffer.txt >TESTSFAILED END NOTCONTAINS SNIFFER-COMBO >TESTSFAILED 50 CONTAINS SPAMHAUS-SBL > >Combo-MailPolice-Sniffer.txt >TESTSFAILED END CONTAINS MAILPOLICE-WHITELIST >TESTSFAILED END NOTCONTAINS SNIFFER-COMBO >TESTSFAILED 30 CONTAINS MAILPOLICE-COMBO > >Combo-Mailpolice-spamcop.txt >TESTSFAILED END CONTAINS MAILPOLICE-WHITELIST >TESTSFAILED END NOTCONTAINS SPAMCOP-DYNA >TESTSFAILED 20 CONTAINS MAILPOLICE-COMBO > >I also have combo tests for XBL. Mailpure's zombie's test cover these. > >Scott Fisher >Director of IT >Farm Progress Companies > > > >>>>[EMAIL PROTECTED] 06/04/04 02:35PM >>> >>>> >>>> >We've seen more and more junk getting through on our servers. No doubt our >config files are not up to date. >I've downloaded the latest patch with the included config files. > >My question: does everyone run them "stock" or are there particular >configs / settings / etc., that people are >implementing to make Declude even more effective than it is out of the box? > >Is there anywhere to download people's various config's (ie. a page where >they are posted and shared) or could >someone either post what they think is key or make specific recommendations >as to what to tweak? > >Thanks > >Chris > > >--- >[This E-mail scanned for viruses by Declude Virus] > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be foundst a >at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
