Re: [Declude.JunkMail] Whitelister / Blacklister

[Scott Fisher]

I agree with you. I think it really depends on who is spamming the spam traps.   In my case, the spammers who hit the spam traps look to be static IP based spammers. I'll assign someone who hits this automated list 50 points (subject tag 100, hold 200, delete 300). In comparison, if I manually code into a IPFILE, that's generally a 100 point hit. The test's result is 5128 spam out of 5134 this month. Generally these spammer's score are so high, the 50 points is meaningless. Also to prevent fp's I also only keep IPs for 21 days on this list. I also monitor my test performances pretty frequently to get adjust mal-performing tests.   I'm just looking for ways to get out of maintaining my IPFILEs and possible my FROMFILEs.     ----- Original Message ----- From: Matt To: [EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 2:34 PM Subject: Re: [Declude.JunkMail] Whitelister / Blacklister Scott, I saw your note about your own code and also this question, but I wanted to remind you of the fact that there are many pieces of spam that come from fully legitimate mail servers such as the rash of spam being relayed through Earthlink's mail servers from spammers that have hacked their accounts.  When you then add the Earthlink mail servers to your blacklist, you hit all of their legitimate E-mail as well.  All of our systems collect large amounts of spam from legit servers (as well as ham tagged as spam), and as a result it is not at all safe to take all such IP's and blacklist them by default. There is a way to make better use of this, but it requires you to start from having nothing and specifically include things that are very high confidence of not being from a legit server instead of starting with all such IP's and trying to trim them down.  CBL for instance works with spamtraps, but they have defenses in their system for listing legitimate mail servers.  I do know that they will include hits without reverse DNS entries and ones that get hit by a DUL list for instance, but I suspect that they throw away any hits from servers with reverse DNS entries that contain things like "mx" or "mail" in their reverse DNS entries.  One of my tricks for DUL hits is also to disable the tests if the IP is in the MX record for the Mail From domain (i.e. doesn't hit IPNOTINMX).  You would need to build many specific and very accurate conditions for inclusion for this to work with enough reliability.  My take on this however is that if you know those conditions, you don't need a blacklist to score this because you can do it in real time with Declude.  If you are basing this on a spam trap however, you can in fact pull some additional IP's out of the mix that might have otherwise passed your system. Matt Scott Fisher wrote: On the blacklist side, I'd like the ability to turn on a "honeypot" mode that would add the sender IP of ANY email sent to it (for spamtraps).  I run a batch file after midnight that pulls out all of the IP addresses that sent to my five spamtrap addresses and creates a Declude IPFile. it's available here: http://it.farmprogress.com/declude/spamtrap.htm ----- Original Message ----- From: Dan Horne To: [EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:17 AM Subject: RE: [Declude.JunkMail] Whitelister / Blacklister I'm curious about this test.  If I am a user and I am unable to receive an email from the person I would like to whitelist, how can I attach a message from that person?  Does this work with messages from Declude's ATTACH action?  Should the ATTACH message be forwarded inline with the original attachment or as an attachment within an attachment?  What about security?  If the whitelist email address shows up in a spammer's database, will it whitelist all messages from the spammer?   I'd like to see a similar whitelisting tool that could take a command similar to the way Imail's list-server works.  I could not only send attached emails to it in the described manner, but I could also send it a command in the body of the email such as "[PASSWORD] ADD [EMAIL PROTECTED]" where the password is configurable.  If sent to the whitelist email address AND the password matches the configured password, add that address to the whitelist.  The test would search for any instance of [PASSWORD] in the body, and if found would look for the ADD command after it (or other commands if any).  If it finds that, it adds the email address that follows to the whitelist file.   On the blacklist side, I'd like the ability to turn on a "honeypot" mode that would add the sender IP of ANY email sent to it (for spamtraps). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Timothy L. Chandler Sent: Monday, September 20, 2004 8:11 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Whitelister / Blacklister Hi everyone, I wrote a program we have been using at my company successfully for a while now.  They are two visual basic executables � a whitelister and a blacklister.  To add a new whitelisted user to a whitelist file, one must simply set up a program alias and send an e-mail with an e-mail from the user attached, or the header info from the e-mail.  I use Outlook and I simply send the e-mails as attachments to a new e-mail. The program parses the e-mail, skips the first from user name (yours obviously), and then processes all attachments for more from e-mail addresses, up to 25.  For blacklisting, it parses the sender�s ip and adds to a blacklist.  It is very convenient.  Anybody interested in these programs?  I could have Scott post them to the free web tools if anyone wants them� Tim -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================