Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
I added in a weight for the grey listings, but it hasn’t had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I’m not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of –1 billion??? I checked and there’s nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn’t process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
It crashed - through an exception and either Declude was unsure of what to do with it or that was the score it returned.I have seen this happen when I was developing my own app. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? I added in a weight for the grey listings, but it hasn't had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I'm not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of -1 billion??? I checked and there's nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn't process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I've never tried tweaking inv-uribl, scores black and red but not grey. I'm thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don't score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
Makes sense. Thanks. From: Nick Hayer Sent: Friday, April 08, 2011 10:29 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? It crashed - through an exception and either Declude was unsure of what to do with it or that was the score it returned.I have seen this happen when I was developing my own app. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? I added in a weight for the grey listings, but it hasn’t had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I’m not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of –1 billion??? I checked and there’s nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn’t process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
We've seen this a lot with Inv-URIBL. You can patch it somewhat by putting in a counterweight for Inv-URIBL when it crashes. There is a small set of scores to adjust for. Darin. - Original Message - From: IMail Admin To: Declude.JunkMail@declude.com Sent: Friday, April 08, 2011 1:35 PM Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? Makes sense. Thanks. From: Nick Hayer Sent: Friday, April 08, 2011 10:29 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? It crashed - through an exception and either Declude was unsure of what to do with it or that was the score it returned.I have seen this happen when I was developing my own app. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? I added in a weight for the grey listings, but it hasn’t had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I’m not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of –1 billion??? I checked and there’s nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn’t process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
That’s a good idea, so I looked at what I have in the config file: !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- !-- BitValue_8 = comes from red.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=2 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / I’m not an expert, but this seems to say that showing up in the black, grey, or red lists gets you scores of 7, 0 2 corresponding to bitmasks results of 127.0.0.2, 127.0.0.4, and 127.0.0.8. So then I went to the uribl.com web site to look up the definitions of these lists: ■black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added. ■grey.uribl.com - This lists contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE. This zone rebuilds several times a day as necessary. ■red.uribl.com - This list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk. From this, I don’t understand why red would rate a score of 2 and grey a score of 0. It seems to me that grey is in between black and red, and should probably have a score of 3 or 4. In my system, that kind of score wouldn’t be enough to cause the message to be treated as spam (my Declude threshold for “ordinary email” is 5), but it would if combined with other failed tests. Any thoughts on this? Thanks, Ben From: Nick Hayer Sent: Tuesday, April 05, 2011 5:52 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you read the Inv-Uribl log file? maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail
RE: [Declude.JunkMail] How do you read the Inv-Uribl log file?
The 127.0.0.4 is a gray listing for the uribl. I personally don't score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
