Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
try jackie99 MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "Pete McNeil" Sent: Friday, April 08, 2011 5:26 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX On 4/8/2011 3:49 PM, IMail Admin wrote: > Theyâ?Tre true spam, but the other tests donâ?Tt confirm it and my delete > threshold is 12 (although I would be happy to get just to 10 on these > spams). If you're not already using truncate.gbudb.net DNSBL then that might also allow you to add some weight. http://www.gbudb.com/truncate/index.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
On 4/8/2011 3:49 PM, IMail Admin wrote: > They’re true spam, but the other tests don’t confirm it and my delete > threshold is 12 (although I would be happy to get just to 10 on these > spams). If you're not already using truncate.gbudb.net DNSBL then that might also allow you to add some weight. http://www.gbudb.com/truncate/index.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
On 4/8/2011 3:49 PM, IMail Admin wrote: For example, I weight Sniffer at 8, so I get a lot of spam that score 8. They’re true spam, but the other tests don’t confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). One way you might get there (part of the time anyway) -- The OEM version of SNF in Declude exposes the IP reputation component. If you add weigh based on the IP reputation and consider that as an additional test, then you will be able to hold/delete some spam with just two results from SNF. Consider that if SNF finds a pattern match it will generate a result other than 20, 40, or 63. So, if you get a result of, say, 57 - and you also have an IP reputation that is sufficiently bad, then you would be able to consider those two "tests" as independent and so you should be able to score them so that you hold/delete the spam. When SNF returns a pattern match result - the IP reputation component is trained, but does not itself have any bearing on the result that is returned. When the IP reputation (GBUdb) component of SNF does have a bearing on the result the pattern engine component does not and those results are 20, 40, or 63. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
I would suggest combo-ing sniffer with other tests - and make the penalty very small at first until you gain confidence in the results. -Nick Here is a old sample combo-sniffer.txt file - use it as a guide - not in production.. SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.SNIFFER TESTSFAILED2CONTAINSF5SPAMMONKEY TESTSFAILED2CONTAINS10SPAMMONKEY HEADERS5CONTAINSX-Alligate-AddrSpace: Failed TESTSFAILED2CONTAINSFILTER.ALLIGATE TESTSFAILED4CONTAINSFILTER.STATICSPAMMER_MAILFROM COUNTRIES6CONTAINSCN COUNTRIES6CONTAINSKR COUNTRIES6CONTAINSCH TESTSFAILED6CONTAINSFILTER.BADCOUNTRYNORVDNS TESTSFAILED2CONTAINSFILTER.COMBO.SUSPECIOUS TESTSFAILED5CONTAINSFILTER.DYNA TESTSFAILED8CONTAINSFILTER.INVESTMENT TESTSFAILED5CONTAINSFILTER.LOTTERY TESTSFAILED3CONTAINSFILTER.MORTGAGE TESTSFAILED5CONTAINSFILTER.HEALTH_INS TESTSFAILED5CONTAINSFILTER.NIGERIAN.SCAM TESTSFAILED2CONTAINSFILTER.REV_DNS TESTSFAILED3CONTAINSIP4R.SBL TESTSFAILED2CONTAINSIP4R.SPAMCOP TESTSFAILED2CONTAINSIP4R.XBL TESTSFAILED3CONTAINSIPFILE.HOSTS TESTSFAILED9CONTAINSIPFILE.KILL TESTSFAILED3CONTAINSIPFILE.NETWORKS TESTSFAILED6CONTAINSIPFILE.SUSPICIOUS.HOST TESTSFAILED2CONTAINSIPFILE.SUSPICIOUS.NETWRK TESTSFAILED3CONTAINSXBL( TESTSFAILED3CONTAINSTEST.DYNHELO TESTSFAILED3CONTAINSTEST.ROUTING TESTSFAILED1CONTAINSTEST.SPAMHEADERS TESTSFAILED3CONTAINSTEST.BADHEADERS TESTSFAILED3CONTAINSTEST.REVDNS TESTSFAILED3CONTAINSIP4R.ZENSPAMHAUS MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "IMail Admin" Sent: Friday, April 08, 2011 3:51 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX Thanks. Now that you've posted this I have to apologize because I recall reading this years ago. The problem I'm struggling with is that I get a lot of spam that fail many tests and ends up being deleted, but I also get a lot of true spam that fails only one test, usually Sniffer, and I'd like to find test(s) that would incrementally confirm the spam and push it to the next threshold. For example, I weight Sniffer at 8, so I get a lot of spam that score 8. They're true spam, but the other tests don't confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). Any suggestions welcome. Thanks, Ben From: Nick Hayer Sent: Friday, April 08, 2011 12:23 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "IMail Admin" Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCON
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
Thanks. Now that you’ve posted this I have to apologize because I recall reading this years ago. The problem I’m struggling with is that I get a lot of spam that fail many tests and ends up being deleted, but I also get a lot of true spam that fails only one test, usually Sniffer, and I’d like to find test(s) that would incrementally confirm the spam and push it to the next threshold. For example, I weight Sniffer at 8, so I get a lot of spam that score 8. They’re true spam, but the other tests don’t confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). Any suggestions welcome. Thanks, Ben From: Nick Hayer Sent: Friday, April 08, 2011 12:23 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "IMail Admin" Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX In all this work on inv-uribl, I realized that my system scores 0 for NOLEGITCONTENT and IPNOTINMX. I would just be following the default, so that leads to the question: what is the purpose of these tests and do other people assign them scores? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "IMail Admin" Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX In all this work on inv-uribl, I realized that my system scores 0 for NOLEGITCONTENT and IPNOTINMX. I would just be following the default, so that leads to the question: what is the purpose of these tests and do other people assign them scores? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.