Here's what the lists refer to: UCE-PFSM-1 for Level 1 = Single IPs (Defaultlist, very conservative) UCE-PFSM-2 for Level 2 = /24 Nets (stronger, but more effective) UCE-PFSM-3 for Level 3 = Virusspreaders (Warning, Lots of Smarthosts)
I have found many IPs are listed on level 1 and level 2. For me this leads to the test being double-scored.
So I score Level 1 directly and then use a filter to score level 2 only if there is no level 1.
Level 3 contained too many false positives, so I don't use it.
Here's my config:
UCEPROTECT-LEVEL1 ip4r dnsbl-1.uceprotect.net * 50 0
UCEPROTECT-LEVEL2 ip4r dnsbl-2.uceprotect.net * 0 0
UCEPROTECT-L2-NOT-L1 filter D:\IMail\Declude\FPFilters\UCEPROTECT-L2-NOT-L1.txt x 0 0
UCEPROTECT-L2-NOT-L1.txt: TESTSFAILED END CONTAINS UCEPROTECT-LEVEL1 TESTSFAILED 50 CONTAINS UCEPROTECT-LEVEL2
Subject tag at 100, hold at 200, delete at 300.
----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Sunday, March 06, 2005 2:49 PM
Subject: [Declude.JunkMail] UCEProtect Levels & Return codes
Hi all,
Darrell posted this in another thread
UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 6 0 UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 2 0
I looked up web site and see that there are three levels of DNS lists.
UCE-PFSM-1 for Level 1 = Single IPs (Defaultlist, very conservative) UCE-PFSM-2 for Level 2 = /24 Networks (harder but more effective) UCE-PFSM-3 for Level 3 = Virusspreaders (Warning, lot of SMARTHOSTS)
I cannot find on their web site what return codes they use. Is it just 127.0.0.2 or are there others.
Are people just using the Level 1 list or are you using Levels 2 and 3?
Thanx
Goran Jovanovic
The LAN Shoppe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
