I've found that the aggregate zones (such as dnsbl.sorbs.net) don't always work. For example, today while testing I found an address (91.218.112.72) that was in spam.dnsbl.sorbs.net but wasn't in dnsbl.sorbs.net. Better to use the individual zones for testing, but be careful about using overlapping zones. Gary Steiner
---------------------------------------- From: "John Tolmachoff" <[email protected]> Sent: Friday, January 23, 2015 2:06 PM To: [email protected] Subject: [MBF] Re: False positives rising with SORBS Tina what you are doing is giving a double fail to the return code 127.0.0.6. If you check the sorbs.net website, you would find this explanation: new.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 48 hours. recent.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net). So in other words you should NOT be using BOTH checks. HOWEVER, what is BETTER and more EFFICIANT is to only query dnsbl.sorbs.net and then use the various return codes for different tests. John T eServices For You -----Original Message----- From: "Tina Cline" <[email protected]> Sent: Thursday, January 22, 2015 8:34am To: [email protected] Subject: [MBF] False positives rising with SORBS We are seeing a few false positives because of the SORBS filter. ##http://www.au.sorbs.net/ SORBS IP4R dnsbl.sorbs.net * 4 0 SORBS-NEW IP4R new.spam.dnsbl.sorbs.net 127.0.0.6 3 0 SORBS-RECENT IP4R recent.spam.dnsbl.sorbs.net 127.0.0.6 3 0 SORBS-NOMAIL IP4R nomail.rhsbl.sorbs.net 127.0.0.12 10 0 The false positives are verified IP addresses on the SORBS list but not the fault of the sender as the hosting IP is listed. Because SORBS is positive, they get a score of 4 and 3 and 3 (total 10) and maybe something else that pushes them over 10. (The emails typically are failing all 3 SORBS lists, not just one - I did not expect to see emails failing NEW and RECENT at the same time) This often happens in replies as the replies go back and forth the SPAM weight gets heavier or the senders IP from the hoster changes (hoster has multiple IPs, some of which might be listed - such as Office365 users) My question: I have lowered the weight on SORBS-NEW and SORBS-RECENT to only 1 point each so that if all three filters fail they only get a score of 6. Is this what we should do or should we only use the SORBS bl and not use SORBS-NEW or RECENT? Any recommendations? We are basing this on the fact that if the email is truly SPAM, other filters will give the additional weight so SORBS need only be a few points. Tina Cline 270net Technologies ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]>
