Thats actually a very good idea I am going to incorporate. How did you come up with the scoring balance between first and second hop?
Darrell
Matt writes:
You need to segment your tests between Spamtraps/Zombies/Relays and Static Sources. Static sources such as SBL should have no increase in FP's over multiple hops, however XBL, SpamCop, ORDB and others will. What I do is trick Declude into splitting the test scores giving the last hop a higher score than a hit that sits before the last hop, but only for the Spamtraps/Zombies/Relays types of tests. Here's an example:
# Spam Traps (staggered scoring per hop)
SPAMCOP(DYNA) ip4r bl.spamcop.net 127.0.0.2 4 0
SPAMCOP(ALL) ip4r bl.spamcop.net 127.0.0.2 2 0
XBL(DYNA) ip4r sbl-xbl.spamhaus.org 127.0.0.4 6 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
The (DYNA) part of the name makes Declude only use that test on the last hop, while the (ALL) has no special function and it will hit on any hop that is scanned. Last hop hits will score both, but prior hop hits will only score the (ALL) version for a lower score. This definitely helped my spam capture rates, but I have caught some zombies that were sending legitimate E-mail, though they score very low and many of them pass.
I've suggested before that extra columns be added to Declude for such tests so that we can control the score they give according to the hop that they hit on. The full description of this suggestion is in the recent archives.
Note that negative weight tests need to be kept exclusively to the last hop because they do get spoofed in forged headers, and also, RHSBL tests are not hop aware since they pull a domain from the MAILFROM instead of the hops, so you don't need to do anything special with these tests.
Matt
DLAnalyzer Support wrote:
We are setup currently using "HOPHIGH 1". With using a HOPHIGH setting of 1. What we are seeing is an increase in messages that are gettng caught with XBL, DSBL, SORBS, and other tests along this line on the second HOP even though they were legit messages that were sent through normal ISP servers.
How many folks are using HOPHIGH 1? Also, for tests like XBL, DSBL, and others along this line are you changing them to XBL-DUL to only work on the first HOP?
Thanks
Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
------------------------------------------------
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
