Mark,
mail-archive.com converted the text attachment to just a part of the
message if you wish to cut and paste it from there.
http://www.mail-archive.com/declude.junkmail%40declude.com/msg21757.html
Matt
Mark E. Smith wrote:
Matt,
Can you resend that filter? I
checked on the archive and the attachment isn't there.
Thanks.
Mark
Danny,
It's a special construct that I use to kludge a way to provide a
difference in scoring of last hop DNSBL hits and prior-hop DNSBL hits.
For instance, if you score a test on the last 3 hops and it hits an
open relay type of list on the first hop, that isn't anywhere nearly as
indicative of spam as a last hop open relay hit.
With Declude, you can kludge it so that you can score both the last hop
only or all hops. If I get a hit for both SPAMCOP(ALL) and
SPAMCOP(LAST), this means that SpamCop hit minimally on the last hop.
If I only get a hit for SPAMCOP(ALL), that means that the hit was on a
prior hop. Yes, this is most definitely very effective, and I
absolutely do wish there was a better way to do this in Declude by
assigning the range of hops to test per entry in your config. An
example of how to configure this with SpamCop would be as follows:
SPAMCOP(LAST) dnsbl %IP4R%.bl.spamcop.net
127.0.0.2 4 0
SPAMCOP(ALL) ip4r bl.spamcop.net
127.0.0.2 2 0
This is primarily effective with DNSBL's that track primarily open
relays and not necessary with most static spammer lists although SBL
has been acting like idiots as of late and including random blocks all
the way up to whole class B's on residential class networks which
severely weakens the value of SBL when scored the same on every hop.
As far as my filter goes, you can remove all of the lines beginning
with the one targeting SNIFFER hits. It will work just fine without
these, but I included them just for good measure as I expect the spam
patterns to change eventually. I do of course expect to see spammers
cracking AUTH with much more frequency, and Earthlink at least appears
to be inept at stopping it since this has been happening for over 3
months now and growing in scope.
Matt
Danny K wrote:
Matt,
What does the (ALL) do as in "SPAMCOP(ALL)"?
i360 Support wrote:
I am still getting a ton of
porn spam from Earthlink.
I report it but it does not
help much.
Any suggestions on how to
stop this crap?
Attached is the filter that I use to kill this stuff. Last I checked,
there were two different spammers that were cracking AUTH to get this
stuff through, and their patterns don't seem to have changed, although
they probably will and/or more will come.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
