However, I added a few more DNSBLs that one of you suggested last week. My global.cfg now looks like this:
#========================================= ADVANCED OPTIONS =================================
LOOSENSPAMHEADERS ON
CONSOLE ON
#IPBYPASS 192.0.2.25
HOP 0 #HOPHIGH 1
#DNS 127.0.0.1
HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT
CATCHALLMAILS catchallmails x x 0 0 NOLEGITCONTENT nolegitcontent x x 0 -5 IPNOTINMX ipnotinmx x x 0 -3
#========================================= WHITELISTS =======================================
#WHITELIST HABEAS #AUTOWHITELIST ON PREWHITELIST ON WHITELIST AUTH
# ----- Domain Example ----- WHITELIST FROM @declude.com WHITELIST FROM @munis.com WHITELIST FROM @trg.com WHITELIST FROM @winnacunnet.k12.nh.us
# ----- User Example ----- WHITELIST FROM [EMAIL PROTECTED]
# ----- TO Example ----- #WHITELIST TO postmaster@ #WHITELIST TO abuse@
# ----- SAU IPS -----
#SAU AND HAMPTON WHITELIST IP 207.228.220. WHITELIST IP 172.21.21.
#SEABROOK WHITELIST IP 70.88.195.41
#HFALLS WHITELIST IP 24.128.32.179
#SOHAM WHITELIST IP 69.164.74.209
#========================================= BLACKLISTS =======================================
#BLACKLIST fromfile [path]\Filters\blacklist.txt x 10 0
#BLACKIP ipfile [path]\Filters\blackip.txt x 10 0
#========================================= RBL IP4R TESTS ==========================================
# 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions.
# 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address).
# 3. For type ip4r, 'matchstring' is the string to look for, or "*" for anything.
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 4 0
UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 1 0
SENDERDB-BLACK ip4r pub.senderdb.net 127.0.0.2 8 0
SENDERDB-SUSPICIOUS ip4r pub.senderdb.net 127.0.0.4 2 0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 9 0
MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 8 0
AHBL ip4r dnsbl.ahbl.org * 6 0
BLITZEDALL ip4r opm.blitzed.org * 7 0
CBL ip4r cbl.abuseat.org 127.0.0.2 6 0
DSBL ip4r list.dsbl.org * 6 0
ORDB ip4r relays.ordb.org * 5 0
SBL ip4r sbl.spamhaus.org * 7 0
SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0
SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0
SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0
SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0
SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 4 0
#SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0
SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5 0
SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0
SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 4 0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 7 0
#MTLDB ip4r mtldb.declude.com 127.0.0.2 3 0
#BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
#ADDITIONAL USED RBL IP4R TESTS
#FIVETENSRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0
#JAMMDNSBL ip4r dnsbl.jammconsulting.com 127.0.0.2 2 0
#========================================= RHBSL TESTS ==========================================
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0
#NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0
#NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0
#========================================= OTHER TESTS ==========================================
BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACE cmdspace x x 8 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 4 0 MAILFROM envfrom x x 12 0 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFFAIL spffail x x 3 0 #SPFPASS spfpass x x -3 0
#BCC bcc 20 x 5 0 NONENGLISH nonenglish x x 3 0 #SUBJECTCHARS subjectchars 50 x 0 0 #SUBJECTSPACES subjectspaces 12 x 5 0
#=========================================== FILTERS ===============================================
#SUBJECT filter [path]\Filters\Subject.txt x 0 0
#WORD filter [path]\Declude\Filters\Word.txt x 0 0
#========================================= 3RD PARTY =============================================
SNIFFER external nonzero "D:\IMail\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7" 10 0
#SPAMCHK external nonzero "[path]\Spamchk\spamchk.exe" 1 0
#========================================= TRIGGERS ==============================================
WEIGHT1014 weightrange x x 10 14 WEIGHT1519 weightrange x x 15 19 WEIGHT20 weight x x 20 0
As for actions, I am currently holding 10-14, redirecting 15-19, and deleting >20. Now this seemed to work great before, but now that I added a few more DNSBLs, my scores are much higher obviously. I'm curious if this is a BAD thing, or if it just confirms that if a message is on several blacklists, it SHOULD have a high score and be deleted. Thoughts on this? I basically guessed on the weights for the top 9 blacklists that I added manually...
Thanks.
Joey
At 11:34 PM 3/4/2005, you wrote:
Evan.
It is my understanding that is a global command and is only supported in the global.cfg file.
Darrell
------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Evans Martin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, March 04, 2005 10:17 PM Subject: RE: [Declude.JunkMail] Beginner configuration?
Does LOOSENSPAMHEADERS ON have to go in the global.cfg? What if I want to do this for one domain but not for others? Is there any way to accomplish this?
Thanks, Evans Martin
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Friday, March 04, 2005 8:17 AM > To: [email protected] > Subject: Re: [Declude.JunkMail] Beginner configuration? > > Joey, > > Declude is very effective when tweaked. Not to mention the default > global.cfg ships without all of the RBL's that most of us use (XBL, UCE, > MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties which > are > very effective at catching spam like like invURIBL and Message Sniffer. > Both of those applications have trial versions. > > Are you still using the default scale? Since you have been working with > your global.cfg you might want to post it to the list for us to look over > it > and see what you have done so far as to make suggestions. > > For your clients that you are not in control of I would imagine that you > know the ip blocks they come from or the firewall ip that they are behind > that. You can whitelist that ip so that them failing the cmdspace will > not > be a factor. CMDSPACE is very effective but direct connects from clients > using outlook will set that off. > > For SPAMHEADERS I use "LOOSENSPAMHEADERS ON" this relaxes the > spamheaders > test so that it does not trigger on missing message ID emails. > > Hope that helps, > Darrell > ------------------------------------------------------------------------ > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > > > > Joey Proulx writes: > > > Hello, > > > > Just downloaded the demo version of Junkmail Pro, and I was curious > about > > the basic setup. For the last two days I've monitored and tweaked and > > held and redirected and spent hours upon hours looking over the junkmail > > setup and rules and whatnot. I'm wondering if I'm reinventing the > wheel. > > I work for a school district with a big spam problem, but as any of you > in > > gov't know, if I tell them we should buy something I need to make sure > it > > works. I was just wondering if there are any tried and true setups that > > any of you are using to cut down on the spam. I'm seeing that this > system > > works, but I'm also still running the built-in Imail filter, and I've > seen > > quite a few messages that get caught by Imail, but have a Declude score > of > > 0, that should NOT have made it through. Do you all still run the > builtin > > Imail spam as well? Any filters I should definitely setup? > > > > I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header) > > from some local clients (I don't control all my clients, so I don't > think > > I can make them authenticate). Should I do away with these tests, or > can > > I fix these two issues on the server side? > > > > Thanks for all your help. > > > > _____________________________ > > Joey Proulx > > SAU #21 Technology Support Staff > > 2 Alumni Drive > > Hampton, NH 03842 > > (603) 926-8992, ext 115 > > [EMAIL PROTECTED] > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] >
--- [This E-mail scanned for viruses by Declude Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
