RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Actually, I was reading this when I thought of it, and thinking of how INVURIBL reads the links inside of an e-mail and then compares them to a configured RBL, like the recommended Invaluement paid subscription. http://www.blue-quartz.com/rbl/ It would be much more efficient to store large numbers of IPs in DNS than it would a plain text blacklist, wouldn't it - or am I wrong about that? This is the relevant quote from this page: If a blacklisted IP address is in your rbl database it will "exist" in the DNS system. For example: if you blacklisted IP 89.40.1.32 then doing a regular DNS lookup like this: nslookup test.rbl.mydomain.com nslookup 32.1.40.89.rbl.mydomain.com should result in a match of 127.0.0.2 I haven't figured out how to get the e-mail harvesting IP blocks out of SmarterMail yet, but if I could, then if I could script-insert them into DNS and then use that as a local RBL, do you think that would be an effective tool? Those are the spammers that are banging on my door, right? -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Saturday, July 11, 2009 3:09 AM To: Michael Cummins Subject: Re[2]: [Declude.JunkMail] Cutting down on DNS > Probably a crazy question, but if I wrote a script to harvest the current > blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be > done) would that make a good or a bad local URI? Are you talking about turning a list of IPs into a list of dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Cutting down on DNS
On Jul 10, 2009, at 12:50 PM, Scott Fisher wrote: SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Actually their website announced that they found other hosting arrangements and will not be shutting down at this time. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Cbl is a subset of zen.spamhaus.org so you could be double scoring that. UCEPROTECT-2 and UCEPROTECT-1 overlap considerable. You are probably double scoring there. DNSBL and IADB are whitelists. They would have lower scores. SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Mxrate-suspicious comes along with the same DNS test as MXRate-black. So no need to disable that as it doesn't induce extra dns traffic. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 1:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS > And my other recommendation stands -- look into which BLs will let you > replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
IADB holds the IP's of good senders and helps reduce false positives so the hit rate may be low but it is worth having. MAILPOLICE can be consolidated into a single lookup. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 2:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS > And my other recommendation stands -- look into which BLs will let you > replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
> And my other recommendation stands -- look into which BLs will let you > replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.