|
Matt,
Thanks -- didn't see that.
Can you post your (ALL) and (LAST) global configs and a
brief explanation of how you're using them?
Thanks
Mark
Mark,
mail-archive.com converted the text attachment to just
a part of the message if you wish to cut and paste it from
there.
http://www.mail-archive.com/declude.junkmail%40declude.com/msg21757.html
Matt
Mark
E. Smith wrote:
Matt,
Can you resend that filter? I checked on the archive
and the attachment isn't there.
Thanks.
Mark
Danny,
It's a special construct that I use
to kludge a way to provide a difference in scoring of last hop DNSBL hits
and prior-hop DNSBL hits. For instance, if you score a test on the
last 3 hops and it hits an open relay type of list on the first hop, that
isn't anywhere nearly as indicative of spam as a last hop open relay
hit.
With Declude, you can kludge it so that you can score both the
last hop only or all hops. If I get a hit for both SPAMCOP(ALL) and
SPAMCOP(LAST), this means that SpamCop hit minimally on the last
hop. If I only get a hit for SPAMCOP(ALL), that means that the hit
was on a prior hop. Yes, this is most definitely very effective, and
I absolutely do wish there was a better way to do this in Declude by
assigning the range of hops to test per entry in your config. An
example of how to configure this with SpamCop would be as
follows:
SPAMCOP(LAST)
dnsbl
%IP4R%.bl.spamcop.net
127.0.0.2 4
0
SPAMCOP(ALL)
ip4r bl.spamcop.net
127.0.0.2
2 0
This is primarily effective with DNSBL's that
track primarily open relays and not necessary with most static spammer
lists although SBL has been acting like idiots as of late and including
random blocks all the way up to whole class B's on residential class
networks which severely weakens the value of SBL when scored the same on
every hop.
As far as my filter goes, you can remove all of the
lines beginning with the one targeting SNIFFER hits. It will work
just fine without these, but I included them just for good measure as I
expect the spam patterns to change eventually. I do of course expect
to see spammers cracking AUTH with much more frequency, and Earthlink at
least appears to be inept at stopping it since this has been happening for
over 3 months now and growing in
scope.
Matt
Danny K wrote:
Matt,
What does the (ALL) do as in "SPAMCOP(ALL)"?
i360
Support wrote:
I am still getting a ton of porn spam
from Earthlink.
I report it but it does not help
much.
Any suggestions on how to stop this
crap?
Attached is the filter
that I use to kill this stuff. Last I checked, there were two
different spammers that were cracking AUTH to get this stuff through,
and their patterns don't seem to have changed, although they probably
will and/or more will come.
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
