Re: OT, spam tips.
Am 2004-10-22 14:55:48, schrieb Lupe Christoph: Quoting tomasz abramowicz [EMAIL PROTECTED]: If you want that changed, file a bug against Spamassassin. But I hope this bug will be closed without action. SBL/XBL has too many false positives to rank higher. ??? - I get every day more the 700 in my SPAM-Box with the procmail filter attached... Most are catched by sbl-xbl.spamhaus.org and never I had FP's. cn-kr.blackholes.us dynablock.njabl.org bl.spamcop.net cbl.abuseat.org dnsbl-2.uceprotect.net taiwan.blackholes.us Hmm, maybe I will add them to my list to get the last 5% of SPAM too :-) This list is most probably not what other people would use, so anybody who blindly copies it: don't blame me if you block mail that would have saved the world. :-) If the sending IP address is ranked in SBL/XBL this is a good indication that the mail is Spam. But there are lots of other better criteria. HTH, Lupe Christoph Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) # # FLT_spamhaus # SUB1=`formail -zxSubject:` DATE1=`date +%d/%m/%Y %T` # Open Relay check from www.spamhaus.org uses sbl-xbl lists # and others ## first IP ## :0 H * Received:.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { RECEIVIP=${MATCH} :0 * ! RECEIVIP ?? 127.0.0.1 { :0 * RECEIVIP ?? ()\/[0-9]+ { QUAD1=${MATCH} :0 * RECEIVIP ?? [0-9]+\.\/[0-9]+ { QUAD2=${MATCH} :0 * RECEIVIP ?? [0-9]+\.[0-9]+\.\/[0-9]+ { QUAD3=${MATCH} :0 * RECEIVIP ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+ { RECEIVIPREV=${MATCH}.${QUAD3}.${QUAD2}.${QUAD1} } } } sbl-xbl.spamhaus.org ## :0 { REVCHECKIP=`host ${RECEIVIPREV}.sbl-xbl.spamhaus.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *sbl-xbl.spamhaus.org* $SUB1 :0 * ^Subject:.*(*sbl-xbl.spamhaus.org*) ATT_SPAM/HOST_sbl-xbl.spamhaus.org/ } cbl.abuseat.org ### :0 { REVCHECKIP=`host ${RECEIVIPREV}.cbl.abuseat.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *cbl.abuseat.org* $SUB1 :0 * ^Subject:.*(*cbl.abuseat.org*) ATT_SPAM/HOST_cbl.abuseat.org/ } relays.ordb.org ### :0 { REVCHECKIP=`host ${RECEIVIPREV}.relays.ordb.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0 fhw | formail -i Subject: *relays.ordb.org* $SUB1 :0 * ^Subject:.*(*relays.ordb.org*) ATT_SPAM/HOST_relays.ordb.org/ } opm.blitzed.org ### :0 { REVCHECKIP=`host ${RECEIVIPREV}.opm.blitzed.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *opm.blitzed.org* $SUB1 :0 * ^Subject:.*(*opm.blitzed.org*) ATT_SPAM/HOST_opm.blitzed.org/ } list.dsbl.org # :0 { REVCHECKIP=`host ${RECEIVIPREV}.list.dsbl.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *list.dsbl.org* $SUB1 :0 * ^Subject:.*(*list.dsbl.org*) ATT_SPAM/HOST_list.dsbl.org/ } dul.dnsbl.sorbs.org ### :0 { REVCHECKIP=`host ${RECEIVIPREV}.dul.dnsbl.sorbs.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *dul.dnsbl.sorbs.org* $SUB1 :0 * ^Subject:.*(*dul.dnsbl.sorbs.org*) ATT_SPAM/HOST_dul.dnsbl.sorbs.org/ } blackholes.mail-abuse.org # :0 { REVCHECKIP=`host ${RECEIVIPREV}.blackholes.mail-abuse.org 21 | grep -v 'not found.'` } :0 * $ REVCHECKIP ?? 127\.0\.0\.(2|4) { :0fhw | formail -i Subject: *blackholes.mail-abuse.org* $SUB1 :0
Re: OT, spam tips.
Quoting tomasz abramowicz [EMAIL PROTECTED]: sorry about the off topic, but maybe you guys at debian can fix what my internet provider is talking about? No problem, spam is always interesting to look at (well, at least for me ;). But when I see that they use SBL/XBL yet they still pass on the message to users then my stomach revolts ... it's like a waiter at a restaurant serving a dish to a customer and saying Please pay attention, sir, not to eat that dead fly you will find in the food. If you want that changed, file a bug against Spamassassin. But I hope this bug will be closed without action. SBL/XBL has too many false positives to rank higher. I have tested a large number of RBLs trying to find those with zero false positives but still a high number of catches. I use the ones I selected directly in postfix where they reject absolutely. The current list is: cn-kr.blackholes.us dynablock.njabl.org bl.spamcop.net cbl.abuseat.org dnsbl-2.uceprotect.net taiwan.blackholes.us This list is most probably not what other people would use, so anybody who blindly copies it: don't blame me if you block mail that would have saved the world. If the sending IP address is ranked in SBL/XBL this is a good indication that the mail is Spam. But there are lots of other better criteria. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | ... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]