Joey
At 02:47 PM 3/8/2005, you wrote:
The SBL-XBL includes the SBL, Blitzedall and the CBL list, so you are double-scoring the CBL list.
For the SBL-XBL here are the return codes:
SBL = 127.0.0.2 return code
CBL = 127.0.0.4 return code
BLITZEDALL = 127.0.0.6 return code
So either: SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0 CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.5 7 0
or BLITZEDALL ip4r opm.blitzed.org * 7 0 CBL ip4r cbl.abuseat.org 127.0.0.2 6 0 SBL ip4r sbl.spamhaus.org * 7 0
----- Original Message ----- From: "Joey Proulx" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, March 08, 2005 12:44 PM Subject: Re: [Declude.JunkMail] Beginner configuration?
Thanks for all the help everyone. So far so good, users are noticing the improvement. I added sniffer to the arsenal earlier today, and it's amazing how much more it's picking up. VERY VERY few false positives at all in the first four days of my trial with Declude/Sniffer.
However, I added a few more DNSBLs that one of you suggested last week. My global.cfg now looks like this:
#========================================= ADVANCED OPTIONS =================================
LOOSENSPAMHEADERS ON
CONSOLE ON
#IPBYPASS 192.0.2.25
HOP 0 #HOPHIGH 1
#DNS 127.0.0.1
HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT
CATCHALLMAILS catchallmails x x 0 0 NOLEGITCONTENT nolegitcontent x x 0 -5 IPNOTINMX ipnotinmx x x 0 -3
#========================================= WHITELISTS =======================================
#WHITELIST HABEAS #AUTOWHITELIST ON PREWHITELIST ON WHITELIST AUTH
# ----- Domain Example ----- WHITELIST FROM @declude.com WHITELIST FROM @munis.com WHITELIST FROM @trg.com WHITELIST FROM @winnacunnet.k12.nh.us
# ----- User Example ----- WHITELIST FROM [EMAIL PROTECTED]
# ----- TO Example ----- #WHITELIST TO postmaster@ #WHITELIST TO abuse@
# ----- SAU IPS -----
#SAU AND HAMPTON WHITELIST IP 207.228.220. WHITELIST IP 172.21.21.
#SEABROOK WHITELIST IP 70.88.195.41
#HFALLS WHITELIST IP 24.128.32.179
#SOHAM WHITELIST IP 69.164.74.209
#========================================= BLACKLISTS =======================================
#BLACKLIST fromfile [path]\Filters\blacklist.txt x 10 0 #BLACKIP ipfile [path]\Filters\blackip.txt x 10 0
#========================================= RBL IP4R TESTS ==========================================
# 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions.
# 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address).
# 3. For type ip4r, 'matchstring' is the string to look for, or "*" for anything.
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0 XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0 UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 4 0 UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 1 0 SENDERDB-BLACK ip4r pub.senderdb.net 127.0.0.2 8 0 SENDERDB-SUSPICIOUS ip4r pub.senderdb.net 127.0.0.4 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 9 0 MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 8 0 AHBL ip4r dnsbl.ahbl.org * 6 0 BLITZEDALL ip4r opm.blitzed.org * 7 0 CBL ip4r cbl.abuseat.org 127.0.0.2 6 0 DSBL ip4r list.dsbl.org * 6 0 ORDB ip4r relays.ordb.org * 5 0 SBL ip4r sbl.spamhaus.org * 7 0 SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 4 0 #SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5 0 SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0 SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 4 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 7 0 #MTLDB ip4r mtldb.declude.com 127.0.0.2 3 0
#BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
#ADDITIONAL USED RBL IP4R TESTS #FIVETENSRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0 #JAMMDNSBL ip4r dnsbl.jammconsulting.com 127.0.0.2 2 0
#========================================= RHBSL TESTS ==========================================
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 #NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0 #NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0
#========================================= OTHER TESTS ==========================================
BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACE cmdspace x x 8 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 4 0 MAILFROM envfrom x x 12 0 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFFAIL spffail x x 3 0 #SPFPASS spfpass x x -3 0
#BCC bcc 20 x 5 0 NONENGLISH nonenglish x x 3 0 #SUBJECTCHARS subjectchars 50 x 0 0 #SUBJECTSPACES subjectspaces 12 x 5 0
#=========================================== FILTERS ===============================================
#SUBJECT filter [path]\Filters\Subject.txt x 0 0
#WORD filter [path]\Declude\Filters\Word.txt x 0 0
#========================================= 3RD PARTY =============================================
SNIFFER external nonzero "D:\IMail\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7" 10 0
#SPAMCHK external nonzero "[path]\Spamchk\spamchk.exe" 1 0
#========================================= TRIGGERS ==============================================
WEIGHT1014 weightrange x x 10 14 WEIGHT1519 weightrange x x 15 19 WEIGHT20 weight x x 20 0
As for actions, I am currently holding 10-14, redirecting 15-19, and deleting >20. Now this seemed to work great before, but now that I added a few more DNSBLs, my scores are much higher obviously. I'm curious if this is a BAD thing, or if it just confirms that if a message is on several blacklists, it SHOULD have a high score and be deleted. Thoughts on this? I basically guessed on the weights for the top 9 blacklists that I added manually...
Thanks.
Joey
At 11:34 PM 3/4/2005, you wrote:Evan.
It is my understanding that is a global command and is only supported in the global.cfg file.
Darrell
------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Evans Martin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, March 04, 2005 10:17 PM Subject: RE: [Declude.JunkMail] Beginner configuration?
Does LOOSENSPAMHEADERS ON have to go in the global.cfg? What if I want to do this for one domain but not for others? Is there any way to accomplish this?
Thanks, Evans Martin
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
>> > [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED])
> Sent: Friday, March 04, 2005 8:17 AM
> To: [email protected]
> Subject: Re: [Declude.JunkMail] Beginner configuration?
>
> Joey,
>
> Declude is very effective when tweaked. Not to mention the default
> global.cfg ships without all of the RBL's that most of us use (XBL, > UCE,
> MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties which
> are
> very effective at catching spam like like invURIBL and Message Sniffer.
> Both of those applications have trial versions.
>
> Are you still using the default scale? Since you have been working > with
> your global.cfg you might want to post it to the list for us to look > over
> it
> and see what you have done so far as to make suggestions.
>
> For your clients that you are not in control of I would imagine that > you
> know the ip blocks they come from or the firewall ip that they are > behind
> that. You can whitelist that ip so that them failing the cmdspace will
> not
> be a factor. CMDSPACE is very effective but direct connects from > clients
> using outlook will set that off.
>
> For SPAMHEADERS I use "LOOSENSPAMHEADERS ON" this relaxes the
> spamheaders
> test so that it does not trigger on missing message ID emails.
>
> Hope that helps,
> Darrell
> ------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude And
> Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration,
> MRTG
> Integration, and Log Parsers.
>
>
>
> Joey Proulx writes:
>
> > Hello,
> >
> > Just downloaded the demo version of Junkmail Pro, and I was curious
> about
> > the basic setup. For the last two days I've monitored and tweaked > > and
> > held and redirected and spent hours upon hours looking over the > > junkmail
> > setup and rules and whatnot. I'm wondering if I'm reinventing the
> wheel.
> > I work for a school district with a big spam problem, but as any of > > you
> in
> > gov't know, if I tell them we should buy something I need to make > > sure
> it
> > works. I was just wondering if there are any tried and true setups > > that
> > any of you are using to cut down on the spam. I'm seeing that this
> system
> > works, but I'm also still running the built-in Imail filter, and I've
> seen
> > quite a few messages that get caught by Imail, but have a Declude > > score
> of
> > 0, that should NOT have made it through. Do you all still run the
> builtin
> > Imail spam as well? Any filters I should definitely setup?
> >
> > I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID > > header)
> > from some local clients (I don't control all my clients, so I don't
> think
> > I can make them authenticate). Should I do away with these tests, or
> can
> > I fix these two issues on the server side?
> >
> > Thanks for all your help.
> >
> > _____________________________
> > Joey Proulx
> > SAU #21 Technology Support Staff
> > 2 Alumni Drive
> > Hampton, NH 03842
> > (603) 926-8992, ext 115
> > [EMAIL PROTECTED]
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
--- [This E-mail scanned for viruses by Declude Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
