I agree that the UCE is a pretty effective test. It's too bad there is a combined zone so you could catch 1 and 2 from one dns lookup.
----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Sunday, March 06, 2005 4:40 PM
Subject: RE: [Declude.JunkMail] UCEProtect Levels & Return codes
Scott,
I took a look at your stats and it seems to be a pretty good test.
Any explanation why the Feb numbers are better than the Jan number
L1 Jan - 1 FP in 268 Feb - 1 FP in 350
L2 Jan - 1 FP in 463 Feb - 1 FP in 970
Thanx
Goran Jovanovic The LAN Shoppe
leads-----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Sunday, March 06, 2005 4:57 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] UCEProtect Levels & Return codes
Here's what the lists refer to: UCE-PFSM-1 for Level 1 = Single IPs (Defaultlist, very conservative) UCE-PFSM-2 for Level 2 = /24 Nets (stronger, but more effective) UCE-PFSM-3 for Level 3 = Virusspreaders (Warning, Lots of Smarthosts)
I have found many IPs are listed on level 1 and level 2. For me this
only ifto the test being double-scored. So I score Level 1 directly and then use a filter to score level 2
3?there is no level 1. Level 3 contained too many false positives, so I don't use it.
Here's my config:
UCEPROTECT-LEVEL1 ip4r dnsbl-1.uceprotect.net * 50 0 UCEPROTECT-LEVEL2 ip4r dnsbl-2.uceprotect.net * 0 0 UCEPROTECT-L2-NOT-L1 filter D:\IMail\Declude\FPFilters\UCEPROTECT-L2-NOT-L1.txt x 0 0
UCEPROTECT-L2-NOT-L1.txt: TESTSFAILED END CONTAINS UCEPROTECT-LEVEL1 TESTSFAILED 50 CONTAINS UCEPROTECT-LEVEL2
Subject tag at 100, hold at 200, delete at 300.
----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Sunday, March 06, 2005 2:49 PM Subject: [Declude.JunkMail] UCEProtect Levels & Return codes
Hi all,
Darrell posted this in another thread
UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 6 0 UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 2 0
I looked up web site and see that there are three levels of DNS lists.
UCE-PFSM-1 for Level 1 = Single IPs (Defaultlist, very conservative) UCE-PFSM-2 for Level 2 = /24 Networks (harder but more effective) UCE-PFSM-3 for Level 3 = Virusspreaders (Warning, lot of SMARTHOSTS)
I cannot find on their web site what return codes they use. Is it just 127.0.0.2 or are there others.
Are people just using the Level 1 list or are you using Levels 2 and
---
Thanx
Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.