> Thank you Marcus for the very informative analysis. I see > that we're not using some of the more accurate tests (because > our global.cfg file is a little out of date). A number of > these tests are not defined in Declude's example glogal.cfg > file. Can you supply a global.cfg (or part of one) with an > example test definition for each of these tests?
Maybe it's me that aren't using the standard global.cfg file :-) Here some comments and information about the used tests: BADHEADERS BASE64 HEUR10 MAILFROM NOLEGITCONTENT ROUTING SPAMHEADERS This are all standard tests from default config file. At the moment I don't have CMDSPACE because I need Imail v8+ to whitelist all connecting MS email clients. AUTOWHITE1 SPAMCHK This are two external tests. For AUTOWHITE you can ask John Tolmachoff on this list. Even if the percentage of "right vote for legit message" seems not very high, I consider it very good, because it works practicaly without any false positives (expect if certain mail worms will begun to use real mailfrom addresses) So with this test you can substract a lot of points for every message comming from an address your customer has already send out some messages. SpamChk is an external test from Wolfgang Riedmann and me. More information can be found on www.spamchk.com I consider it as a subset of content based tests. SpamChk will not return static +5 points or -3 points. Based on the cumulative internal result it has a variable return weight between -x and +y AHBLDOMAINS AHBLPROXIES AHBLSOURCES BHOLE-CHINA BHOLE-CN-KR BHOLE-JAPAN BHOLE-KOREA BHOLE-MALAYSIA BHOLE-NIGERIA BHOLE-SINGAPORE BHOLE-THAILAND BLITZEDALL CBL DSBL DSN FABEL FIVETEN-FREE FIVETEN-MISC FIVETEN-SPAMSUP FIVETEN-SRC INTERSIL IPWHOIS KOREASPAM MAILPOLICE-BULK MAILPOLICE-PORN NJABL NJABLDUL NJABLPROXIES NOABUSE NOPOSTMASTER ORDB SBL SECURITYSAGE SORBS-HTTP SORBS-MISC SORBS-SMTP SORBS-SOCKS SORBS-SPAM SORBS-WEB SORBS-ZOMBIE SPAMBAG SPAMCOP SPAMHAUS UCEB XBL-DYNA This are all DNS based IP blacklist lookups. For more information please reffer to http://www.declude.com/Junkmail/support/ip4r.htm Maybe this results can be used also for Imail Spamfilter users. I've also created some matrix results for showing up which two tests are corresponding more or less in results. This to discover if I can remove certain "useless" tests. If you want you can give a look at http://www.zcom.it/spamtest/results1.html but in this form I fear it will be a little bit overkill. Orange fields are the percentage of congruity (the lower the bether) Green fields are the percentage of non-congruity (the higher the bether) But this matrix at the moment does not show realy valid results because it's based on "only" 4191 messages from one day. BLKLST-COUNTRY This test is based on decludes IP<>country lookup. The results looks good, but if I tell you that I give 5% of my hold weight to every message comming from the USA it wouldn't help to most users in this list. For other foreign countries I assign 20% or more of my hold weight because I receive not very much but practicaly only spam from there. From the USA we receive a lot of legit messages but way more spam. This only because our MTA has more then 80% of "european traffic". I will look into splitting this test in USA and non-USA to receive separate results. HELOBOGUS Standard declude test HOUR This is a new declude test to assign or subsctract certain points durring bussines or free time. So for example I can see that between 11:00pm and 7:00am our MTA will process relative more spam then legit messages: http://www.zcom.it/decludeupdater/returncodes.pdf So instead of saying: I'll add a default weight of x to every message comming in between 11pm and 07am I preffer to say: In this timerange we reduce our hold weight from 100 to 95 Note: The results in this case are showing a mixed result and so many false positives (red bars) Between 02/28 and 03/16 I've also substracted 2 little points for every message comming in durring business time. This has created too much "false negatives" for spam messages. So I've changed the configuration to assign only a small positive weight for messages comming in durring free time. REVDNS Standard declude test SPAMDOMAINS-H SPAMDOMAINS-L Two separate lists for decludes SPAMDOMAINS test. The H(igh) file contain domains that I haven't seen false positives until now. If this happens I'll move the domain in the L(ow) file. A current SPAMDOMAINS file you can find in the declude archives. BLKLIST-DAILY BLKLIST-FROMF This are regulary updated blacklist files from http://www.imagefxonline.net/apps/delog/daily.txt and http://www.imagefxonline.net/apps/delog/fromfile.txt Thanks to Tom! BLKLST-DOMAIN BLKLST-NIGERIAN BLKLST-URL60 This are two regulary updated declude filter files maintained by Kami Razwan. He's offering many more of this files. Search the (declude) archives for more information. EHLOFILTER You need to define your own filter for your own MTA. But for example there shouldn't be any case where some other MTA is connecting to your Mailserver and indicates your own IP as HELO/EHLO string. ZAPTHEDINGBAT Matt is offering several "programatic" filter files that at the moment are not part of this official results, because I still try to play around with it and haven't full time results. You can go to http://www.mailpure.com/software/decludefilters/ to find more information. Markus To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
