Kami, the BCC test will probably be a good marriage with any DYNA or DUL tests.
In general, I think that the BCC test will be of most use to people who run a gateway scenario, where they don't have envelope rejection of addresses. Since I have that configuration, I can offer the observation that directory-attack-lite is very common with BCCs to common prefixed names at my domain, e.g. alice@, bob@, smith@, jones@ etc. When you have envelope rejection, whether because the mailboxes are local, or because you're using Sandy's alias scripts (see his email signature for the links), any BCCs that are bogus are weeded out before IMail saves the envelope file and passes it and the message to Declude. When you have a gateway or a [EMAIL PROTECTED] then all email addresses are accepted, and your server sees an inflated number of TO: and CC: and BCC: entries as the bad guys guess common names at your organization. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Tuesday, April 12, 2005 11:21 AM To: [email protected] Subject: RE: [Declude.JunkMail] DYNHELO Test Hi Darrell: I have a number tests like the following: ============================================== TESTSFAILED END CONTAINS [MULTIPLE.COMBO. MINWEIGHTTOFAIL 4 MAXWEIGHT 4 TESTSFAILED 1 CONTAINS [COMBO.AHBL] TESTSFAILED 1 CONTAINS [COMBO.RFC-IGNORANT] TESTSFAILED 1 CONTAINS [COMBO.DNSBL] TESTSFAILED 1 CONTAINS [COMBO.DSBL] TESTSFAILED 1 CONTAINS [COMBO.BLITZED] TESTSFAILED 1 CONTAINS [COMBO.ABUSEAT] TESTSFAILED 1 CONTAINS [COMBO.FIVETEN] TESTSFAILED 1 CONTAINS [COMBO.MAILPOLICE.rhsbl] TESTSFAILED 1 CONTAINS [COMBO.MAILPOLICE.dnsbl.DYNA] TESTSFAILED 1 CONTAINS [COMBO.NJABL] TESTSFAILED 1 CONTAINS [COMBO.SPAMHAUS] TESTSFAILED 1 CONTAINS [COMBO.SORBS] TESTSFAILED 1 CONTAINS [COMBO.MPBL] TESTSFAILED 1 CONTAINS [COMBO.SPAMCOP] TESTSFAILED 1 CONTAINS [COMBO.XBL] TESTSFAILED 1 CONTAINS [COMBO.MAILPOLICE] ============================================== This is Multiple_Combo_4 I have this as th first test- then I have _3, _2, and _1 This tells me how many of these groups a test has failed. My test names are based following an OO model. So thes tests are called: [MULTIPLE.COMBO.1.2.3.4] [MULTIPLE.COMBO.1.2.3] [MULTIPLE.COMBO.1.2] [MULTIPLE.COMBO.1] Then I have combo filters that for example have: TESTSFAILED 0 CONTAINS [MULTIPLE.COMBO.1.2. That tells me if at least 2 groups have failed. The above will fail for 2, 3, or 4 groups So having said all the above- I have elevation tests that are based on various factors and the above combination. So in this case I think a logical step would be: - has more than 2 tests failed - does the email have more than 5 BCC's - etc. I have not played with BCC yet but if I were to do it I would definitely test it with failure with at least 2 other ip4r groups and perhaps REVDNS and HOLO_IP test. Hope that helps. Regards, - Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, April 12, 2005 2:07 PM To: [email protected] Subject: Re: [Declude.JunkMail] DYNHELO Test Kami, Excellent point - what would you combo this with? Darrell Kami Razvan writes: > Darrell.. > > The BCC test to me is scary if used by itself- I can see it being used > as a combo test but alone with any weight is not something I would > use. We have clients that use their outlook and send 50+ people in a single BCC .. > > Emails to boards and volunteer groups in nonprofits and political > groups are quite typical with large BCC. > > Just my 2 cents.. > > Regards, > - Kami > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell > ([EMAIL PROTECTED]) > Sent: Tuesday, April 12, 2005 1:12 PM > To: [email protected] > Subject: [Declude.JunkMail] DYNHELO Test > > Is anyone using the DYNHELO test in Declude - if so do you have any > information on it? What specifically is it looking for? False positive > rate? I found it in the new global.cfg file, but did not see any > references to it in the manual. > > Also, for the BCC test any thoughts on what the sweet spot tends to be > - by default it comes at 10. Has anyone tweaked this? > > Darrell > > ---------------------------------------------------------------------- > ---- Try invURIBL - an advanced URI filtering test that will block > more than 85% of all SPAM with the default configuration? Try it for > free http://www.invariantsystems.com/invuribl/default.htm > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. ------------------------------------------------------------------------ Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
