I added in a weight for the grey listings, but it hasn’t had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I’m not worried about false positives. In the meanwhile, something Very Strange happened this morning.
An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c00004807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c00004807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of –1 billion??? I checked and there’s nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn’t process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. <!--URI LIST 2--> <add key="URIBL_List2" value="multi.uribl.com" /> <add key="URIBL_Weight_List2" value="0" /> <!-- BitValue_2 = comes from black.uribl.org --> <!-- BitValue_4 = comes from grey.uribl.org --> <add key="Enable_Custom_Bitmask_Values_URIBL_List2" value="true" /> <add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="75" /> <add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" value="0" /> -----Original Message----- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as "Clean": 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
