RE: [Declude.JunkMail] Junkmail Tests and Configs
:) Good idea... Actually great idea.. Thanks.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Sunday, December 21, 2003 9:54 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Kami, I'm using a trick to show %ALLRECIPS% only when a message is held. I added an extra weight test as the hold weight and added the WARN action as follows: - Global.cfg - HIGH-RECIPSweightxx100 - $Default$.junkmail HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS% This way they never see this in E-mail that passes through, and in the event of a false positive, I can deliver the E-mail correctly. Matt Kami Razvan wrote: Scott .. Just wondering.. Don't you need to have the %ALLRECIPS% in the header before this works? I know we deactivated it because it was defeating the purpose of BCC.. Since anyone looking at the header could see all the people being BCC'd. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, December 21, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. The other tests i've used work fine, gibberish, subject spaces, etc. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:31 PM Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Matt - Thank you much for your suggestions. I did not realize about the compounded scoring w/the blackholes country test - fixed! I wasn't using the FiveTen tests because I thought I read in this list they were not that reliable - I've added them will monitor. I was using the in.dnsbl.org tests, you had them omitted - as well as spamdomains. Any particular reason? Also added the BCC test - missed that one - Your filters have been very effective not only in catch spam but getting me to make my own as well eg: got my thought process going - Thanks again! -Nick Date sent: Wed, 12 Nov 2003 14:23:33 -0500 From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Junkmail Tests and Configs Send reply to: [EMAIL PROTECTED] Nick, I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests). I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config: LOGLEVELLOW HOP0 CONSOLEOFF LOOSENSPAMHEADERSON DSBLip4rlist.dsbl.org*70 ORDBip4rrelays.ordb.org*70 SPAMCOPip4rbl.spamcop.net127.0.0.29 0 EASYNET-DYNAip4rdynablock.easynet.nl127.0.0.2 40 EASYNET-DNSBLip4rblackholes.easynet.nl 127.0.0.2 50 EASYNET-PROXIESip4r proxies.blackholes.easynet.nl127.0.0.2 70 FIVETEN-SPAM ip4rblackholes.five-ten-sg.com127.0.0.240 FIVETEN-BULKip4rblackholes.five-ten-sg.com127.0.0.4 40 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com 127.0.0.550 FIVETEN-SPAMSUPPORTip4r blackholes.five-ten-sg.com127.0.0.740 FIVETEN-MISC ip4rblackholes.five-ten-sg.com127.0.0.970 BLITZEDALL ip4ropm.blitzed.org*70 SBL ip4rsbl.spamhaus.org127.0.0.2500 CBL ip4rcbl.abuseat.org127.0.0.280 SBBL ip4rsbbl.they.com*40 SORBS-DULip4rdnsbl.sorbs.net127.0.0.106 0 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.26 0 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.4 60 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.3 60 SORBS-SPAMip4rdnsbl.sorbs.net 127.0.0.650 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.290 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.290 DSNrhsbldsn.rfc-ignorant.org127.0.0.21 0 NOABUSErhsblabuse.rfc-ignorant.org
Re: [Declude.JunkMail] Junkmail Tests and Configs
I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
R. Scott, Thanks for the reply, I did find out what's happening before you got to me though. Yah the BCC emails are showing up in the headers, and yup, i am running 1.75. again, Thanks for the reply - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, December 21, 2003 1:45 PM Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Junkmail Tests and Configs
Scott .. Just wondering.. Don't you need to have the %ALLRECIPS% in the header before this works? I know we deactivated it because it was defeating the purpose of BCC.. Since anyone looking at the header could see all the people being BCC'd. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, December 21, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Junkmail Tests and Configs
Just wondering.. Don't you need to have the %ALLRECIPS% in the header before this works? No. The headers that Declude JunkMail adds aren't looked at for the purposes of the Bcc: test, so it doesn't matter whether you use %ALLRECIPS% or not. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Kami, I'm using a trick to show %ALLRECIPS% only when a message is held. I added an extra weight test as the hold weight and added the WARN action as follows: - Global.cfg - HIGH-RECIPSweightxx100 - $Default$.junkmail HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS% This way they never see this in E-mail that passes through, and in the event of a false positive, I can deliver the E-mail correctly. Matt Kami Razvan wrote: Scott .. Just wondering.. Don't you need to have the %ALLRECIPS% in the header before this works? I know we deactivated it because it was defeating the purpose of BCC.. Since anyone looking at the header could see all the people being BCC'd. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, December 21, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
I'm sorry, when I said the help files .. I meant the online manual. Those are the files I used as a reference. Jonathan At 08:13 PM 11/11/2003, you wrote: In an effort to clean up our junkmail configs, and only use valid tests, we cleaned out our previous tests (old services that were dead etc) and replaced them with the ones currently in the declude help files. Since then, we've been seeing complaints of increased spam/etc. Does anyone have some good configs they'd be willing to share? Good RBLs to use/etc. I'd really appreciate it, it's gettin pretty bad here. Don't go by the help files -- go by the default config files at http://www.declude.com/junkmail/manual.htm . They have the tests that we currently recommend, which should do a very good (not perfect, though) job of catching spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS CONSOLE ON HOP 0 #HOPHIGH1 IPBYPASS127.0.0.1 LOOSENSPAMHEADERS OFF LOGFILE spool\dec.log LOGLEVELMID PREWHITELISTON WHITELIST AUTH XSENDER ON XSPOOLNAME ON #HEADERS XINHEADER X-Country-Chain: %COUNTRYCHAIN% XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADER X-Note: Reverse DNS: %REVDNS%. XINHEADER X-Note: Header code: %HEADERCODE% XINHEADER X-Note: Queue name: %QUEUENAME% XOUTHEADER X-Note: Total spam weight of this e-mail is %WEIGHT%. XOUTHEADER X-Note: Reverse DNS %REVDNS% . #FROMFILE ## BADSENDERS fromfilee:\IMail\Declude\badaddresses.txt x 5 0 KillListGen fromfilee:\IMail\Declude\Destination.txt x 10 0 #IPFILE ## ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 0 #FILTERS ## ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt x 3 0 ANTI-GIBBERISHSUB filter e:\IMail\Declude\filters\Anti-GibberishSub.txt x -4 0 ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt x -11 0 BODYCURSE filter e:\IMail\Declude\filters\bodycurse.txt x 3 0 BODYSEX filter e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY filter e:\imail\declude\filters\country.txt x 6 0 DBL filter e:\IMail\Declude\filters\dbl.txt x 0 0 DNS_TESTS filter e:\IMail\Declude\filters\dns_tests.txt x 0 0 DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt x 3 0 FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt x 3 0 GIBBERISH filter e:\IMail\Declude\filters\Gibberish.txt x 4 0 GIBBERISHSUBfilter e:\IMail\Declude\filters\GibberishSub.txt x 4 0 GMA_SENTfilter e:\imail\declude\filters\gma.txt x 0 0 MALICIOUS filter e:\IMail\Declude\filters\viri.txt x 6 0 OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt x 7 0 REVDNSCKfilter e:\IMail\Declude\filters\revdns.txt x 0 0 SUBJCURSE filter e:\IMail\Declude\filters\subjcurse.txt x 3 0 SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt x 3 0 TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt x 3 0 TLD-ASIAN filter e:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 TLD-CARIBBEAN filter e:\IMail\Declude\Filters\TLD-Caribbean.txt x 3 0 TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmerican.txt x 3 0 TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEuropean.txt x 3 0 TLD-MIDDLEEASTERN filter e:\IMail\Declude\Filters\TLD-MiddleEastern.txt x 3 0 TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt x 3 0 TLD-SOUTHAMERICAN filter e:\IMail\Declude\Filters\TLD-SouthAmerican.txt x 3 0 TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEuropean.txt x 3 0 TLD-TRUSTED-HELOfilter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt x 0 0 TLD-TRUSTED-MAILFROMfilter e:\IMail\Declude\Filters\TLD-Trusted-MAILFROM.txt x 0 0 TLD-TRUSTED-REVDNS filter e:\IMail\Declude\Filters\TLD-Trusted-REVDNS.txt x 0 0 VIRUSBLKfilter e:\IMail\Declude\filters\virusblk.txt x 50 0 WORDFILTER filter
Re: [Declude.JunkMail] Junkmail Tests and Configs
Nick, I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests). I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config: LOGLEVELLOW HOP0 CONSOLEOFF LOOSENSPAMHEADERSON DSBLip4rlist.dsbl.org*70 ORDBip4rrelays.ordb.org*70 SPAMCOPip4rbl.spamcop.net127.0.0.290 EASYNET-DYNAip4rdynablock.easynet.nl127.0.0.240 EASYNET-DNSBLip4rblackholes.easynet.nl127.0.0.2 50 EASYNET-PROXIESip4rproxies.blackholes.easynet.nl 127.0.0.2 70 FIVETEN-SPAMip4rblackholes.five-ten-sg.com127.0.0.2 40 FIVETEN-BULKip4rblackholes.five-ten-sg.com127.0.0.4 40 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com127.0.0.5 50 FIVETEN-SPAMSUPPORTip4rblackholes.five-ten-sg.com 127.0.0.740 FIVETEN-MISCip4rblackholes.five-ten-sg.com127.0.0.9 70 BLITZEDALLip4ropm.blitzed.org*70 SBLip4rsbl.spamhaus.org127.0.0.2500 CBLip4rcbl.abuseat.org127.0.0.280 SBBLip4rsbbl.they.com*40 SORBS-DULip4rdnsbl.sorbs.net127.0.0.1060 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.260 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.460 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.360 SORBS-SPAMip4rdnsbl.sorbs.net127.0.0.650 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.290 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.290 DSNrhsbldsn.rfc-ignorant.org127.0.0.210 NOABUSErhsblabuse.rfc-ignorant.org127.0.0.4 10 NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org127.0.0.3 10 BONDEDSENDERip4rquery.bondedsender.org127.0.0.10 -500 BADHEADERSbadheadersxx50 HELOBOGUShelovalidxx40 MAILFROMenvfromxx70 IPNOTINMXipnotinmxxx0-2 PERCENTpercentxx20 #REVDNSrevdnsexistsxx00 ROUTINGspamroutingxx70 SPAMHEADERSspamheadersxx50 NOLEGITCONTENTnolegitcontentxx0-1 BASE64base64xx30 COMMMENTScomments5x70 NONENGLISHnonenglishxx20 BCC-3bcc3x10 BCC-5bcc5x10 SUBSPACE-15subjectspaces15x10 SUBSPACE-25subjectspaces25x20 SUBSPACE-40subjectspaces40x30 Matt Nick Hayer wrote: Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS CONSOLE ON HOP 0 #HOPHIGH 1 IPBYPASS 127.0.0.1 LOOSENSPAMHEADERS OFF LOGFILE spool\dec.log LOGLEVEL MID PREWHITELIST ON
Re: [Declude.JunkMail] Junkmail Tests and Configs
Matt - Thank you much for your suggestions. I did not realize about the compounded scoring w/the blackholes country test - fixed! I wasn't using the FiveTen tests because I thought I read in this list they were not that reliable - I've added them will monitor. I was using the in.dnsbl.org tests, you had them omitted - as well as spamdomains. Any particular reason? Also added the BCC test - missed that one - Your filters have been very effective not only in catch spam but getting me to make my own as well eg: got my thought process going - Thanks again! -Nick Date sent: Wed, 12 Nov 2003 14:23:33 -0500 From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Junkmail Tests and Configs Send reply to: [EMAIL PROTECTED] Nick, I noticed that you are using the blackholes and a country filter. FYI, this will be almost all caught by the FOREIGN test so keep in mind that you will be adding even more points by using the three together and that could result in some false positives (i.e. Russian originators will get 9 points instead of just three by failing three tests). I personally fail on 10, and my scoring is goign to be a lot different from yours. I'm attaching the non-custom part of my config below. This config together with my filters (which the best ones are configured on your system) some header stuff from Kami and Message Sniffer are blocking minimally 98% on my system with hardly any issues with FP's. It seems that you might be mostly failing on a scor of 15, in which case, you might want to adjust the scores of my filters up by 50% (which requires some adjustments inside of the files as well). One of the issues might be the wide range of scores that you fail on. My system will only block about 92% if I failed at a score of 20, so I have only three levels set at 10, 13 and 16, and try to keep my scoring tight enough so that all FP's will come in below 20. Getting tighter here might be beneficial, however you would really have to readjust a lot of things to make that work, though not by much from appearances. I would also recommend moving your whitelist into a filter file and only subtracting 10 or less points because spammers will fake reverse DNS settings and you have some domains that are likely to be targeted there. That way, something that is spam should still fail, but it will protect from FP's on several of the RBL's. Here's my config: LOGLEVELLOW HOP0 CONSOLEOFF LOOSENSPAMHEADERSON DSBLip4rlist.dsbl.org*70 ORDBip4rrelays.ordb.org*70 SPAMCOPip4rbl.spamcop.net127.0.0.29 0 EASYNET-DYNAip4rdynablock.easynet.nl127.0.0.2 40 EASYNET-DNSBLip4rblackholes.easynet.nl 127.0.0.2 50 EASYNET-PROXIESip4r proxies.blackholes.easynet.nl127.0.0.2 70 FIVETEN-SPAM ip4rblackholes.five-ten-sg.com127.0.0.240 FIVETEN-BULKip4rblackholes.five-ten-sg.com127.0.0.4 40 FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com 127.0.0.550 FIVETEN-SPAMSUPPORTip4r blackholes.five-ten-sg.com127.0.0.740 FIVETEN-MISC ip4rblackholes.five-ten-sg.com127.0.0.970 BLITZEDALL ip4ropm.blitzed.org*70 SBL ip4rsbl.spamhaus.org127.0.0.2500 CBL ip4rcbl.abuseat.org127.0.0.280 SBBL ip4rsbbl.they.com*40 SORBS-DULip4rdnsbl.sorbs.net127.0.0.106 0 SORBS-HTTPip4rdnsbl.sorbs.net127.0.0.26 0 SORBS-MISCip4rdnsbl.sorbs.net127.0.0.4 60 SORBS-SOCKSip4rdnsbl.sorbs.net127.0.0.3 60 SORBS-SPAMip4rdnsbl.sorbs.net 127.0.0.650 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.290 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.290 DSNrhsbldsn.rfc-ignorant.org127.0.0.21 0 NOABUSErhsblabuse.rfc-ignorant.org127.0.0.4 10 NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org 127.0.0.310 BONDEDSENDERip4rquery.bondedsender.org127.0.0.10 -500 BADHEADERSbadheadersxx50 HELOBOGUShelovalidxx40 MAILFROMenvfromxx70 IPNOTINMXipnotinmxxx0-2 PERCENTpercentxx20 #REVDNSrevdnsexistsxx00 ROUTINGspamroutingx
Re: [Declude.JunkMail] Junkmail Tests and Configs
Resending because I think the first one got munged. Matt Original Message Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Date: Wed, 12 Nov 2003 17:10:05 -0500 From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Nick, Some of the FIVETEN tests are overzealous in catching newsletters and other legit membership stuff, but at the same time, they fill in some holes that other RBL's don't cover. So I've added them, but score them low, especially since they tend to FP along with some other things which are prone like MAILPOLICE-BULK (which would still fail my system). I also have some counterbalances in filters for stuff that I consider legit but tends to score high or get blocked. Some admins don't like this stuff getting through, in which case FIVETEN is less problematic, though FIVETEN is tagging Yahoo and will list some ISP mailservers, though the latter tends not to not have many problems elsewhere in my config. Those additional DNSBL tests look promising so I will give them a try. With the BCC tests as I have them configured, hardly does a thing on my system, though it can help with some dictionary type BCC senders. You could also add in a test for just one BCC, but I wouldn't score that higher than 1 since it will catch a lot of legit stuff...but it might help more than it hurts. Take a closer look at how I score the SUBJECTSPACES test also, that was tried as a result of something I saw here, and it works more effectively IMO if you step it instead of just as a single test. Other similar tests like COMMENTS though is probably better left as a single test because if someone does improperly use such a thing, it is likely to appear any range of times. Scott said setting it at 5 hits works for him and I concur. I left out my filters which is where SPAMDOMAINS is. I do use SPAMDOMAINS and have it scored currently at 5, but I am also using it like so: @aol.com aol.com That helps with false positives from VERP, but it limits it to just one REVDNS check. I'm still in the process of building my list and will share it at least privately when it is more complete. I did also notice some of your own custom filters. Please share if you have any good tricks up your sleeve :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
In an effort to clean up our junkmail configs, and only use valid tests, we cleaned out our previous tests (old services that were dead etc) and replaced them with the ones currently in the declude help files. Since then, we've been seeing complaints of increased spam/etc. Does anyone have some good configs they'd be willing to share? Good RBLs to use/etc. I'd really appreciate it, it's gettin pretty bad here. Don't go by the help files -- go by the default config files at http://www.declude.com/junkmail/manual.htm . They have the tests that we currently recommend, which should do a very good (not perfect, though) job of catching spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
