Re: [Declude.JunkMail] Performance question concerning custom filters
Is there any measurable performance impact to removing all extraneous lines from a custom filter file (comments, etc.)? In other words, are these files read into memory every time Declude is run, meaning that you have to move more data around for each message that is scanned? Or maybe due to some other related impact that would benefit from trimming down all of the extraneous data? There would be a very slight performance improvement by removing extraneous line from filter files. However, it is unlikely that the improvement would be noticeable. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FOREIGN/TLD Filter Set v2.0.0
Hi all. I just posted a new set of filters which are used to score foreign marked messages, noting the very high incidence with foreign marked (real foreign and fake foreign) messages being spam in the United States. The FOREIGN test is about as thorough as could be, though it would be virtually as effective if some of the types of tests were excluded (HEADERS searches). The TLD-[Region] tests take this set of filters to the next level. These filters split up all ccTLD's into one of 9 regions (excluding North America), and they are designed to assess a score on E-mail containing regionally dissimilar MAILFROM, HELO and REVDNS data. A message that has only one of the three containing a ccTLD will receive an extra punishment of 2 points (on a scale of 10). A message with two ccTLD's within the same region will receive just one point, and zero points will be assessed where all three elements contain a ccTLD from the same region. There has been a rash of spam from crud spammers using programs that randomize many of the message elements, including the MAILFROM and HELO information, and frequently this information will be dissimilar (several have asked recently about how to catch this stuff). The REVDNS data of course can't be changed when you are using a zombie machine. So if the spammer randomizes those two elements to contain ccTLD's from different regions, either 3, 4 or 6 additional points will be levied on the message in addition to the FOREIGN filter punishment. The score depends on if the REVDNS entry is on a gTLD, or yet another regionally dissimilar ccTLD. I've also included some additional filters meant only to be used for evaluation. They are the TLD-TRUSTED-[Type] filters, and they will not generate any score, and can certainly be excluded in order to increase performance. All of the filters are fairly efficient, mostly searching short strings with ENDSWITH searches, though performance could be increased by removing the HEADERS searches in the FOREIGN filter without much of a drawback. I've included an extensive description of how the filters work. It's a little convoluted, however I have been using a variation of this set for a with very good results. Please take time to read the description carefully before installing the filters and asking questions. It would be a good idea to keep the discussion in the public view on this list so that others can benefit from what is said, after all, that's how I learned much of what I know about them. Download the FOREIGN/TLD Filter Set from the following site: MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02]
Title: Message I just wanted to confirm that the Statistical filtering is after Declude does it's thing so letting IMail score for spam does no good for sorting in Declude? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Monday, September 08, 2003 3:49 AMTo: [EMAIL PROTECTED]Subject: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Oh Oh... Interesting... I sure will. So I am imagining things... has happened before. I will try to add up the weights and see - I will review the archives now.. so perhaps that explains why the headers show up at the bottom of the header and not at the top like the IP4R tests of IMail. thanks for the info... that sure was a case of false sense of security. Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Sunday, September 07, 2003 4:55 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hmmm, how is it possible for Declude JunkMail to track the statistical filtering headerwhen statistical filtering does not happen until after Declude has finished its message processing and handed the message back to IMail for delivery? Search the archives, there was a discussion between Sandy Whiteman and I a few months back about this. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 12:47 PM Subject: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hi; Just wondering if others have experimented with the Statistical Filtering of IMail. I am simply sharing what I have seen so far since last week. I started testing it last week and so far it is showing good results. Several instances it was enough weight to block a spam that would have otherwise gone through with our filters. I simply enabled Statistical Filtering and chose Insert Header option. then added the following to our header filter: HEADERS 3 CONTAINS X-IMAIL-SPAM-STATISTICS: 0.9HEADERS 5 CONTAINS X-IMAIL-SPAM-STATISTICS: 1. So far anything with 1 has been spam and several 0.9's are seen that all have been spam. Basically I have not seen a false positive with the above. I may increase their weights.. but need more time to test. Anyone else has any experience? Regards, Kami
