[MBF] Re: False positives rising with SORBS

[John Tolmachoff]

Tina what you are doing is giving a double fail to the return code 127.0.0.6. 

If you check the sorbs.net website, you would find this explanation:

new.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
                              spam/UCE/UBE to the admins of SORBS within the 
last
                              48 hours.
recent.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
                              spam/UCE/UBE to the admins of SORBS within the 
last
                              28 days (includes new.spam.dnsbl.sorbs.net).

So in other words you should NOT be using BOTH checks. 

HOWEVER, what is BETTER and more EFFICIANT is to only query dnsbl.sorbs.net and 
then use the various return codes for different tests.

John T
eServices For You

-----Original Message-----
From: "Tina Cline" <tina.cl...@270net.com>
Sent: Thursday, January 22, 2015 8:34am
To: community@mailsbestfriend.com
Subject: [MBF] False positives rising with SORBS

We are seeing a few false positives because of the SORBS filter.
##http://www.au.sorbs.net/
SORBS                  IP4R    dnsbl.sorbs.net                       *       4  
     0
SORBS-NEW              IP4R    new.spam.dnsbl.sorbs.net       127.0.0.6      3  
     0
SORBS-RECENT           IP4R    recent.spam.dnsbl.sorbs.net    127.0.0.6      3  
     0
SORBS-NOMAIL           IP4R    nomail.rhsbl.sorbs.net         127.0.0.12     10 
     0

The false positives are verified IP addresses on the SORBS list but not the 
fault of the sender as the hosting IP is listed.  Because SORBS is positive, 
they get a score of 4 and 3 and 3 (total 10) and maybe something else that 
pushes them over 10.  (The emails typically are failing all 3 SORBS lists, not 
just one - I did not expect to see emails failing NEW and RECENT at the same 
time)

This often happens in replies as the replies go back and forth the SPAM weight 
gets heavier or the senders IP from the hoster changes (hoster has multiple 
IPs, some of which might be listed - such as Office365 users)

My question:  I have lowered the weight on SORBS-NEW and SORBS-RECENT to only 1 
point each so that if all three filters fail they only get a score of 6.  Is 
this what we should do or should we only use the SORBS bl and not use SORBS-NEW 
or RECENT?  Any recommendations?  We are basing this on the fact that if the 
email is truly SPAM, other filters will give the additional weight so SORBS 
need only be a few points.

Tina Cline
270net Technologies




#############################################################
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>