Scott,
I do not use sniffer, so I cannot use exactly what you have here. Any
thoughts what other test to use?
In your scoring system a weight of 24 is what portion of your
tag/hold/delete weight.
Your mailfrom-null-sender filter will assign 24 points regardless. Then
if it also fails the sniffer-combo test it will get another 120 points.
So one e-mail could get 24+120 points (+1 if mailer-deamon@). Right?
If I understood this correctly then for the simple NDRs it will add 24
points and for SPAM with NullMailFrom it will add 144 points. This
cannot distinguish between valid NDRs and NDRs generated by spoofed
sender SPAM. So going back to my original desire to weed out "bad" NDRs
from "good" NDRs this will not do it. Right?
Sorry its late and I am sort of rambling.
Goran Jovanovic
The LAN Shoppe
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Scott Fisher
> Sent: Tuesday, June 15, 2004 7:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Null Sender and NDRs
>
> If a message fails sniffer and has a mailfrom of <>, I give it
additional
> points:
>
> mailfrom-null-sender.txt:
> MAILFROM 24 CONTAINS <>
> MAILFROM 1 STARTSWITH MAILER-DAEMON@
>
> Sniffer-combo.txt:
> TESTSFAILED END CONTAINS SNIFFER-NOTFOUND
> TESTSFAILED END CONTAINS SNIFFER-GREYMAIL
> TESTSFAILED 0 CONTAINS SNIFFER-TRAVEL
> TESTSFAILED 0 CONTAINS SNIFFER-INSURANCE
> TESTSFAILED 0 CONTAINS SNIFFER-AV-PUSH
> TESTSFAILED 0 CONTAINS SNIFFER-WAREZ
> TESTSFAILED 0 CONTAINS SNIFFER-SPAMWARE
> TESTSFAILED 0 CONTAINS SNIFFER-SNAKEOIL
> TESTSFAILED 0 CONTAINS SNIFFER-SCAMS
> TESTSFAILED 0 CONTAINS SNIFFER-PORN
> TESTSFAILED 0 CONTAINS SNIFFER-MALWARE
> TESTSFAILED 0 CONTAINS SNIFFER-ADVERTISING
> TESTSFAILED 0 CONTAINS SNIFFER-SCHEMES
> TESTSFAILED 0 CONTAINS SNIFFER-CREDIT
> TESTSFAILED 0 CONTAINS SNIFFER-GAMBLING
> TESTSFAILED 0 CONTAINS SNIFFER-OBFUSCATION
> TESTSFAILED 0 CONTAINS SNIFFER-EXPERIMENTAL
> TESTSFAILED 0 CONTAINS SNIFFER-GENERAL
>
> combo-nulll-sniffer.txt:
> TESTSFAILED END NOTCONTAINS SNIFFER-COMBO
> TESTSFAILED 120 CONTAINS MAILFROM-NULL-SENDER
>
>
> Scott Fisher
> Director of IT
> Farm Progress Companies
>
> >>> [EMAIL PROTECTED] 06/15/04 05:34PM >>>
>
>
>
>
> Goran Jovanovic
> The LAN Shoppe
> One of my clients is getting hammered big time with NULL MAILFROM.
They
> are all NDRs from all over the place. Yesterday 56% of his mail was
NDRs
>
> Total Messages: 3009
>
> TEST # FAILED Percentage
> NULLMAILFROM.................1680.......55.83%
>
> I had originally thought that punishing NULL senders would help with
> some SPAM messages that I saw coming in but how can you deal with
this?
>
> I would want to let legitimate NDRs in but not these
>
> The NDRs are bouncing back to users like [EMAIL PROTECTED] and other
such
> fictitious addresses. This domain is not a local IMail domain but
rather
> a gateway domain so I have no way of checking against a userlist.
>
> Any thoughts?
>
> Thanx
>
> Goran
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
