Re: [Declude.JunkMail] How to add extra points to this

[Matt]

2 cents from out East.  I wouldn't add much more punishment for URIBL and Sniffer because the data is cross-checked and that can cause the same bad piece of data to be replicated across both tests.  This is mostly apparent with bulk-mailers and obscure foreign domains, though I don't claim that is is extraordinarily common.  I would definitely however give a lot more weight to something that failed CBL, SBL, SpamCop, DUL lists, and most any open relay list in combination with URIBL.  Same goes for Sniffer.  The trick here is that the contributing factors to being listed is much more isolated and therefore stronger in comparison. Matt Colbeck, Andrew wrote: "I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM."   Goran, I suggest that making a "combo" test that awards more weight when both Message Sniffer and your URI external test trigger will be a better value for you, as it will be far more wide-ranging than merely adding keywords for the current campaign.   Andrew 8)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 1:31 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result.   Our favorite R. Scott Perry has added a little summary at the top of DNSSTUFF when you look up an IP in the SPAM databases. I just did a cut and paste from there. I only test the combined sbl-xbl.spamhaus.org zone.   I may decide to go to adding weight for Countries but I find that a bit risky. I have many different customers.   I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM.   Thanks   Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 3:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this   Message Sniffer plus any URI blacklist test is a powerful and reliable combination.  You could add keywords to make it an even stronger weight if you wanted to maintain that.   You could also implement the COUNTRY filter and give a little nudge weight for CO (Colombia) if you think you get very little spam from there; if you do, I'd suggest adding Brazil, Peru and Venezuela in there too.   And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result.   Scott recently posted to the list a whole handful of "combo" tests that he finds reliable.  If you're not keeping messages from this list, you might want to check the web archive for his posting(s).   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 7:36 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to add extra points to this Hi   Here are the headers from a bunch of SPAM that is slipping through.   Subject:    Re: Para7mcy news To:         [EMAIL PROTECTED] From:       [EMAIL PROTECTED] REV DNS:    corporativos244254-29.etb.net.co Date:       06 Mar 2006 at 02:42:18 Tests Failed:     IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight:           23 Spool File: De7c016fa0086126d.smd   To view the E-mail, just click the attachment.   Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net   (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: <[EMAIL PROTECTED]> Reply-To: "Pallav Jenkins" <[EMAIL PROTECTED]> From: "Pallav Jenkins" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative;       boundary="----=_NextPart_000_0001_01C640C7.764CC4D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106   As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete).   I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia   I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot   Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP   Arrgh – it was listed a little while after this message went through.   In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists?   I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points).   Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.