RE: [Declude.JunkMail] SURBL filter script
Hi Markus: I'm curious: All of this 24 messages are NDR's or Notifications send from back to the recipient. Why did these NDRs contain a blocked URL? Were they indeed wanted NDRs, or were they NDRs for Spam that wasn't delivered, which happened to have one of your users as the faked sender? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, April 16, 2004 04:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SURBL filter script It will take a day or two before the log analysis and test check scripts are available, since I must adjust them to handle all log levels. Here are my results from 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by SURBL: 2552 (54% of hold spam / 26% of all messages) FP's from SURBL: 24 All of this 24 messages are NDR's or Notifications send from back to the recipient. None of this SURBL false positives has caused a message to reach the hold weight and so become a real FP. 95% of all spam messages catched by SURBL has already reached a weight 200% of our hold weight. So inserting a initial SKIPIFWEIGHT should significantly save resources. Excellent test! Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
My results from a business setting are very positive also. 294 hits. 292 SPAM 2 NotSpam (both from the declude mailing list hitting on webhosting.yahoo.com) Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/16/04 03:25AM It will take a day or two before the log analysis and test check scripts are available, since I must adjust them to handle all log levels. Here are my results from 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by SURBL: 2552 (54% of hold spam / 26% of all messages) FP's from SURBL: 24 All of this 24 messages are NDR's or Notifications send from back to the recipient. None of this SURBL false positives has caused a message to reach the hold weight and so become a real FP. 95% of all spam messages catched by SURBL has already reached a weight 200% of our hold weight. So inserting a initial SKIPIFWEIGHT should significantly save resources. Excellent test! Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
I'm curious: I'm too ;-) Why did these NDRs contain a blocked URL? Were they indeed wanted NDRs, or were they NDRs for Spam that wasn't delivered, which happened to have one of your users as the faked sender? After searching trough the logfiles I've discovered that this messages are NDR's or Notifications from other mailservers (Exchange, ...) that are in use on customers side as in-house mailserver. This MTAs are using our Mailserver as smart host/gateway. Talking with on of this customers I've discovered that they're retrieving also messages from another (old) mailbox. So I asume this NDR's contains part of the original body and so also some blacklisted URLs. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
Roger, I just downloaded the script and got it to update. Thank you. I looked through the messages on the list but I could not find what is the suggested weight for this test. Any suggestions? I am currently marking SPAM at 10 and seeing how that goes. I would like to start deleting at 20 or so. I figure I will need the following command in GLOBAL.CFG but I am not sure what to use for weight. SURBL filter D:\IMail\Declude\SURBL\surbl.txt x 0 0 The filter has 0 on each line so this means to me that if it trips on any line it will return a 0 to the processing engine and that will get added to the x in the line above. Suggestions would be appreciated. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
I looked through the messages on the list but I could not find what is the suggested weight for this test. Any suggestions? I can see that SURBL has the same efficiency as CBL, DSBL or XBL-DYNA. So maybe you can use the same weight as for this tests. At the moment I use a weight corresponding to 35% of our HOLD/DELETE weight but as this test is fairly new we have to test it for some additional days/week. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
The SURBL rbldns zone file is updated every five minutes or so, but the difference between these updates is small. I think that a filter update once or twice a day is enough. /Roger The command script that downloads the SURBL rbldns zone file, converts it to a body filter, and updates the existing filter file is available for download at http://www.botany.gu.se/download/decludescript/SURBL_filter.zi p. I have included a short readme file and added comments to the script. Wow! Great script. Downloaded, unpacked, set the script location, works fine! Any suggestions on how often we should update the file? Hourly, daily, ... Thank you Markus -- -- Roger Eriksson Botanical Institute, Göteborg University Box 461, SE 405 30 Göteborg, Sweden Visiting/delivery address: Carl Skottsbergs Gata 22 B, SE 413 19 Göteborg, Sweden Phone: +46 31 7732666 Fax: +46 31 7732677 http://www2.botany.gu.se/staff/rogeri/welcome.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL filter script
Hi again, This version of the SURBL filter script only works under Windows 2000 and later. I will try to adjust the script so that it also can be used on Windows NT 4. /Roger Hi, The command script that downloads the SURBL rbldns zone file, converts it to a body filter, and updates the existing filter file is available for download at http://www.botany.gu.se/download/decludescript/SURBL_filter.zip. I have included a short readme file and added comments to the script. It will take a day or two before the log analysis and test check scripts are available, since I must adjust them to handle all log levels. /Roger --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
The command script that downloads the SURBL rbldns zone file, converts it to a body filter, and updates the existing filter file is available for download at http://www.botany.gu.se/download/decludescript/SURBL_filter.zi p. I have included a short readme file and added comments to the script. Wow! Great script. Downloaded, unpacked, set the script location, works fine! Any suggestions on how often we should update the file? Hourly, daily, ... Thank you Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
I agree. It took 10 minutes to get this test working. And many of the domains listed were in my e-mails that are (hopefully were) falling into that gray area. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/14/04 04:48PM The command script that downloads the SURBL rbldns zone file, converts it to a body filter, and updates the existing filter file is available for download at http://www.botany.gu.se/download/decludescript/SURBL_filter.zi p. I have included a short readme file and added comments to the script. Wow! Great script. Downloaded, unpacked, set the script location, works fine! Any suggestions on how often we should update the file? Hourly, daily, ... Thank you Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
