To add to Andrew's comments: If you have the Pro version: some of Matt's test at Mailpure especially the foreign tests.
I've had good results with the UCE Protect ip4r. It's only been about a momth, but it looks to be 99.9% good here UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net * 50 0 If you are willing ot add an external test: Kevin Bilbee's test looks at IP address in the HELO and Reverse DNS. Pretty good effective rate: http://www.ssc-isp.net/HoldAnalyzer/containsip.aspx ----- Original Message ----- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 08, 2004 12:50 AM Subject: RE: [Declude.JunkMail] Latest Spam Tests > Well, Glen, there's a LOT more that you could be doing. I see that you've > only put forward the names of built-in tests and IP4R tests. Do you have > Declude Junkmail Lite, Standard or Pro? And have you upgraded to the > current version of the declude.exe application? > > The manual is here: http://www.declude.com/Articles.asp?ID=116 > > Regarding your built-in tests, > > I'd suggest you look at adding: > > CMDSPACE WARN > CONTSPACES WARN > COUNTRY LOG > IPNOTINMX LOG > LONGSUBJECT WARN > > CMDSPACE and CONTSPACES are good but you'll have to beware of false > positives; as an ISP, you in particular may have problems with CMDSPACE and > (I believe) your own clients using Outlook Express. Someone else here may > have a pointer about using it safely, perhaps with the "WHITELIST AUTH" > directive in your global.cfg (I'm going from memory here; I don't have that > particular issue). > > COUNTRY is quite good at adding weight based the country the message > originated in. Quite handy if you were a business that gets no legitimate > mail from Singapore or Korea or Brazil. > > > As for your existing IP4R tests, check > http://www.declude.com/Articles.asp?ID=97&Redirected=Y for a long list of > what's available and how to configure them. > > I see that you are using CBL, but not SBL or XBL. Check out > http://www.spamhaus.org and replace your CBL with a SBL and XBL line. Your > users will thank you. CBL is incorporated in XBL along with two other > lists, and the source has a lower latency than CBL. SBL is just plain good. > > I see that you have one test called REYNOLDS*. Note that all the Reynolds > tests have gone away and been replaced by ones at DNSBL.Net.Au ... since > this is an Australian ISP, you may find their various lists far most useful > than I found them, and your latency should be much lower. > > As with Reynolds, check out SORBS. You're only using 3 tests, but you may > find that with a low latency, it's worth running more of them. > > I see that you're running SPAMDOMAINS; you could probably gain from using > the latest; search the archives at > http://www.mail-archive.com/declude.junkmail@declude.com/ for the latest > SD.txt and related material. > > > Notes on external tests: > > You only listed one Sniffer test, so I'm guessing that you are running the > demo version. Do yourself a favour and instead of specifying "nonzero" as > the return value, make 3 tests with 3 names, and use the 63, 55, and 60 as > the values. Declude is smart enough that it doesn't actually run the test 3 > times, it just compares each test against the return value. See this for > what these return values do: > http://www.sortmonster.com/MessageSniffer/Help/ResultCodesHelp.html and at a > US $1/day, consider getting the whole enchilada. I suggest setting your > action for 55 to HOLD, and I seldom do that. If your server(s) are already > working hard, you should also check out the nifty new ability of Sniffer to > do "persistent mode". See the website for details. Your processors will > thank you. > > > Notes on counterweight tests: > > I see that you're using both SPFFAIL and SPFPASS; don't go crazy with too > low a "reward weight" for SPFPASS. No trojan'ed zombie hosts are going to > use SPF, but the kind of dyed-in-the-wool spammers on SBL certainly do. If > you lean on SPFPASS to help negatively weight good mail, you're helping > these spammers too. Most of the vocal subscribers on this list don't use > SPFPASS at all. > > To help reward the good guys, you might find useful the tests at: > http://www.trusted-forwarder.org/ which is designed to complement the SPF > tests (fwiw, they are not listed on that Declude web page of DNS based > tests). > > Likewise, check out http://www.ahbl.org and on their Services page, check > out Exemptions. > > Likewise, check out BondedSender from that Declude web page of DNS based > tests. > > > For tests that have good bang-for-your-buck to catch spam: > > Check out AHBL for good spam tests, too. > > Check out FIVETEN. > Check out MAILPOLICE. > Check out NJABL. > Check out SENDERDB. > > > Andrew 8) > > p.s. Hey, mail-archive.com just got a facelift and has caught up on it's > backlog! > > p.p.s. Since I wrote a different screed on getting up-to-date with your > Declude configuration recently, you can read that here: > http://www.mail-archive.com/declude.junkmail@declude.com/msg21880.html > > > > -----Original Message----- > From: Glen Harvy [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 07, 2004 9:07 PM > To: Declude Junkmail > Subject: [Declude.JunkMail] Latest Spam Tests > Importance: High > > > Hi, > > I'm about to review/update my spam tests which currently are: > > BASE64 WARN > CBL WARN > COMMENTS WARN > DSBL WARN > MYFILTERS WARN X-Warning: This E-mail failed Spam filters > ORDB WARN > REYNOLDSRSMT WARN > SORBS-NOMAIL WARN > SORBS-SMTP WARN > SORBS-SPAM WARN > SPAMCOP WARN > DSN WARN > NOABUSE WARN > NOPOSTMASTER WARN > BADHEADERS WARN > HELOBOGUS WARN > MAILFROM WARN > PERCENT WARN > REVDNS WARN > ROUTING WARN > SPAMHEADERS WARN > SPAMDOMAINS WARN > SPFPASS WARN > SPFFAIL WARN > BLACKLIST WARN > SNIFFER WARN > > Can someone be king enough to share their's and/or comment on mine. > > Thanks, > _____________________________________ > Glen Harvy > Aquarius Communications > for all your Internet Needs. > Phone 9977 3788 Fax 9977 3844 > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.