Scott Fisher wrote:
One counteract could be to end the tests on a relay test hit, a DYNA hit probably not an ALL hit.I was thinking along the same lines. For instance, I defeat the GIBBERISH and GIBBERISHSUB tests on my own system if they hit SNIFFER-GRAY since that's not what it was designed to hit (it would often FP on tracking links). It is true in this case that most of my FP's from tagging multiple hops come from the (ALL) hits, resulting from the sender's PC having been infected at one point in time or even currently. Hits on exploited mail servers that FP are much more rare.
I would also like to configure different tests with the number of hops in the config instead of using character string exceptions. Default them to one hop (HOPHIGH 0), and let us specify in an extra column how many other hops if different. I could also see some utility in having a HOPS variable to filter on as well as a %HOPS% variable to send to external tests.Looking at my June numbers to see about items that hit relays (AHBL, ORDB, NJABL, SORBS) 23 good e-mails (most from an .edu that got credit on my edu filter and failed the ordb-all test) 2 that landed in hold (288 and 294 points, oh so close to that 300 delete) 462 that were deleted. Looking at these numbers, relay spam detection is doing very well. At least from known relays. Sometimes I've wondered if a Number of hops variable would be good to have for filters. If it came to my server from a .gov in one hop, I'd be more tempted to believe it.
I do it in DNS for the performance as well as the benefits of sharing the data across multiple systems for when I go multi-server on scanning. If I used filter files, I would grind my system into the ground. Techniques like doing %MAILFROMBL%.%IP4R% also can't be done effectively in filters currently if you want multiple entries in a single file.The DNS mailfrombl / IP list sounds like it is the safest whitelisting technique, but it also sounds like a lot of work to maintain. New hires, people leaving, new e-mail addresses, lots of changes, lots of work. Even maintaining the IP list can be work. I've changed ISP's three times in five years. Each time thinking how much lower can the price go. I'd love to be out of the maintaining black/white lists mode.
As for semi-trusted domains, I go back to the thought that you aren't going to whitelist them, you only really need to credit them enough points to get them past one potential false positive. If it fails a chunk of tests as SPAM, that credited weight won't really make much of a difference. For me it ends up in hold for a week instead of being deleted, not preferred but livable. I don't know if you can go trusting gov agencies / universities to not be a relay. I get plenty of gov mail that has no reverse DNS. A pretty basic thing there.
IMO, these are more often poorly administrated and exploited along with EDU.
I've often wonder what to whitelist myself. I currently only whitelist the mailing lists that I belong to. I know increasing the whitelist amount would help the server. I've even pondered asking the question what to whitelist on the mailing list.My issue is that I would like to create a system for applying credit to all types of messages and hopefully move it into an automated interface that updates a zone on the fly. This means that no single method will be the best. I would like to get a performance benefit from actual whitelisting, but I don't want my system compromised so crediting a few points and then ENDing the filters would be the best of both worlds. I would probably use the %MAILFROMBL% combo for large domains such as Yahoo, HotMail and ISP's and those onesies that you see from smaller domains where the PC is open relay tagged or they like to talk dirty, and a %MAILFROM% combo for smaller trusted private companies. I could work the system in such a way so that I could choose the %MAILFROMBL% or %MAILFROM% plus either the %IP4R%, %HELO% or %REVDNS% (it's too bad that we can't do the REVDNS domain only though). I would just have multiple lookups in my config. Another issue is that some problems are transient and others are ongoing and some will score very high, so variable weighting is probably best in this instance. That would mean multiple zones in this case, with different result codes resulting in different scores, and choosing a score/result code at the time of entry.
I do a fair amount of crediting mail some points. I credit on revdns, subject, body and if I have to mailfrom for terms or products that directly apply to my company. Surprisingly the subject and body work pretty well. The revdns needs occasional tweaking and the mailfrom is almost under constant surveillance (but it is the least credit points).
One technique I do use is I've created a filter-bypass filter. This has tests that are most likely to be close (very close) to 100% non-spam. I have bonded-sender, my subject, body, and revdns credit filters, your size filters for larger e-mails, and various friendly companies (usually revdns). I then put an testfailed end contains filter-bypass in the filters that I really don't want to run for these more-trusted e-mails. Mostly these are the body filters. I only need to maintain this list in one area. I used to do END statements in all of my filters and updating them was a pain. Now one statement ends across all of the body filters (while most, virus hoax, phish and malware filters always get run).
So if you wanted to credit filter [EMAIL PROTECTED] and not my whole domain, and you wanted to allow this address to be delivered from any of my IP's, you would create an entry in your zone like so:
*.mailpure.com.matt.mailpure.com A 127.0.0.2
TXT ( "[EMAIL PROTECTED] from *.mailpure.com Reverse DNS" )
You would query this in Declude like so:
WHITELIST-LOW dnsbl %REVDNS%.%MAILFROMBL%.example.com 127.0.0.2 -5 0
My hope is to do away with credit filters in Declude by moving to DNS. The only things that I can think of that wouldn't fit this situation would be bulk-mailers with a mix of spam and ham, and where content filters are necessary to pick things out like the From line or the Reply-To line, but hopefully these variables will come over time.
Sorry I'm rambling...
Better you than me :)
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
