No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight.
In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the "big win" by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a "cancel line" in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their "cancel lines" accordingly. There is a great deal of art to this science. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Todd Richards > Sent: Thursday, November 09, 2006 12:42 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Thanks Andrew. I'm starting to catch on. The good news is > that everyone "else" thinks I'm a miracle worker because of > the drastic decrease in spam. > One of these days I'll break down and tell them the truth. > So if you all happen to start getting "Thank You" cards from > people you don't know, that's probably why... > > Todd > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Thursday, November 09, 2006 2:23 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Todd, do this from a command line: > > C:\Temp>nslookup 66.187.204.25 > Server: Andrew's.obfuscated.dns.server > Address: 192.168.0.1 > > Name: treets100.ibsys.com > Address: 66.187.204.25 > > C:\Temp> > > That tells me that your REVDNS won't match, because their > reverse DNS is > *not* the same as the HELO value that you used for your REVDNS test. > > The same is also true for your use of the MAILFROM, which > does not have to match the From: address you see in the > header. Look at the > X-Declude-Sender: line in the header that has been marked up. > The MAILFROM was really "[EMAIL PROTECTED]". > > Andrew 8) > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Todd Richards > > Sent: Thursday, November 09, 2006 11:44 AM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > > > OK, here is an update with the header of the particular message. > > > > Todd > > > > > > Received: from treetso101.mtc.ibsys.com [66.187.204.25] by > > mail.nnepa.com with ESMTP > > (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 > > Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) > > From: "KETV.com Newsroom" <[EMAIL PROTECTED]> > > Reply-to: [EMAIL PROTECTED] > > Message-Id: <[EMAIL PROTECTED]> > > X-unsub: > ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 > > Subject: [21] KETV.com Noon Headlines > > To: <[EMAIL PROTECTED]> > > Content-type: text/html; charset=us-ascii > > X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" > > X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com > has no MX or > > A records [0301]. > > X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test > (line 55, > > weight > > 15) > > X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, > > weight 4) > > X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds > the limit of > > 10. > > X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] > > X-Declude-Spoolname: D6ccc089300002bf7.smd > > X-Declude-RefID: > > X-Declude-Note: Scanned by Declude 4.3.14 for spam. > > "http://www.declude.com/x-note.htm"; > > X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 > > X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], > > GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], > WEIGHT19a > > [19] > > X-Country-Chain: UNITED STATES->destination > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 463090338 > > X-IMail-ThreadID: 6ccc089300002bf7 > > X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Todd Richards > > Sent: Thursday, November 09, 2006 1:19 PM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > > > Hi David - > > > > OK, it appears that it is running the test. Here is a snip of the > > log: > > > > 11/09/2006 13:14:20.937 q7df6083c00003523.smd Doing filter file > > D:\imail\Declude\Filters\FILTER-SPAM.txt. > > 11/09/2006 13:14:21.312 q7df6083c00003523.smd Doing filter file > > D:\imail\Declude\Filters\FILTER-GERMAN.txt. > > 11/09/2006 13:14:21.390 q7df6083c00003523.smd Doing filter file > > D:\imail\Declude\Filters\FILTER-SURBL.txt. > > 11/09/2006 13:14:21.390 q7df6083c00003523.smd Filter: Will stop at > > first hit. > > 11/09/2006 13:14:21.781 q7df6083c00003523.smd Doing filter file > > D:\iMail\Declude\Filters\Gibberish.txt. > > 11/09/2006 13:14:22.875 q7df6083c00003523.smd Doing filter file > > D:\iMail\Declude\Filters\Anti-Gibberish.txt. > > 11/09/2006 13:14:23.953 q7df6083c00003523.smd Doing filter file > > D:\imail\Declude\Filters\FILTER-COUNTRY.txt. > > 11/09/2006 13:14:23.953 q7df6083c00003523.smd Checking > > countries: US . > > 11/09/2006 13:14:23.953 q7df6083c00003523.smd Doing filter file > > D:\IMail\Declude\filters\allowlist_low.txt. > > 11/09/2006 13:14:23.953 q7df6083c00003523.smd Doing filter file > > D:\IMail\Declude\filters\allowlist_med.txt. > > 11/09/2006 13:14:23.953 q7df6083c00003523.smd Doing filter file > > D:\IMail\Declude\filters\allowlist_high.txt. > > 11/09/2006 13:14:23.968 q7df6083c00003523.smd nIPNOTINMX:-3 . > > Total weight = -3. > > > > However, before I ran the Debug mode I had one of the emails in > > question caught in the trap, and there was nothing in the headers > > about an "allowlist_med". Which means that there must be something > > not right in the filter itself. This particular newsletter > is listed > > in my ALLOWLIST_MED as a MAILFROM with the full email address of > > [EMAIL PROTECTED] Is there a better way to do that? > > > > Should I wait to see what the logs look like on the debug mode when > > the next one comes through later today? > > > > Todd > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > David Barker > > Sent: Thursday, November 09, 2006 12:07 PM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > > > Todd, > > > > Run you global.cfg on DEBUG see if the test is being called > correctly. > > > > David B > > www.declude.com > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Todd Richards > > Sent: Thursday, November 09, 2006 11:54 AM > > To: declude.junkmail@declude.com > > Subject: [Declude.JunkMail] Negative weight isn't working > > > > Hi Everyone - > > > > I've been playing with some negative weighting, but it > doesn't seem to > > be working. I have the following in my global.cfg file > (down towards > > the > > bottom): > > > > ALLOWLIST_MED filter > > D:\IMail\Declude\filters\allowlist_med.txt x -30 0 > > > > In my allowlist_med.txt file, I have the following entries: > > MAILFROM 0 ENDSWITH [EMAIL PROTECTED] > > REVDNS 0 ENDSWITH .asaenet.org > > > > However, these messages are still getting caught. When I > look at the > > headers, it doesn't even appear that it is running this > test. I have > > the test listed in $default$.junkmail as ALLOWLIST_MED WARN > > > > And in diags.txt as > > ALLOWLIST_MED FILTER > > > > I would like to add some others as well but need to get at > least one > > working first. > > > > Any help is appreciated (as always)! > > > > Todd > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
