You are currently referencing the sbl-xbl with only a return code of 127.0.0.4 and running blitzedall, cbl and sbl:
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
BLITZEDALL ip4r opm.blitzed.org * 7 0
CBL ip4r cbl.abuseat.org 127.0.0.2 6 0 (Duplicate of XBL-ALL)
SBL ip4r sbl.spamhaus.org * 7 0
This would score the entire xbl list the same: (one DNS call) XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org * 9 0 XBL(ALL) ip4r sbl-xbl.spamhaus.org * 2 0
This would score the results of the sbl-xbl differently depending on which list they are on (one DNS call)
SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0
CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0
BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.5 7 0
The advantages of using the sbl-xbl are less DNS calls.
You could drop the XBL lines and just do these: (3 DNS calls) BLITZEDALL ip4r opm.blitzed.org * 7 0 CBL ip4r cbl.abuseat.org 127.0.0.2 6 0 SBL ip4r sbl.spamhaus.org * 7 0
Many people would prefer the less DNS calls.
Personally I fall on the other side of the fence. I want the most accurate data available so I will make the extra DNS calls and not use the sbl-xbl or the xbl lists and go directly to the original source. I'll also get very, very few that are on multiple lists, which doesn't bother me since these 3 lists are among the most accurate lists)
Here's mine settings for reference (subject tag at 100, hold at 200, delete at 300):
BLITZEDALL-LAST dnsbl %IP4R%.opm.blitzed.org * 75 0 BLITZEDALL-ALL ip4r opm.blitzed.org * 25 0 CBL-LAST dnsbl %IP4R%.cbl.abuseat.org 127.0.0.2 100 0 CBL-ALL ip4r cbl.abuseat.org 127.0.0.2 25 0 SPAMHAUS-SBL ip4r sbl.spamhaus.org 127.0.0.2 125 0
----- Original Message ----- From: "Joey Proulx" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Tuesday, March 08, 2005 2:34 PM
Subject: Re: [Declude.JunkMail] Beginner configuration?
So if I'm double scoring, can't I just remove the SBL, Blitzedall, and CBL lists entirely from my global.cfg?
Joey
At 02:47 PM 3/8/2005, you wrote:The SBL-XBL includes the SBL, Blitzedall and the CBL list, so you are double-scoring the CBL list.
For the SBL-XBL here are the return codes:
SBL = 127.0.0.2 return code
CBL = 127.0.0.4 return code
BLITZEDALL = 127.0.0.6 return code
So either: SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0 CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.5 7 0
or
BLITZEDALL ip4r opm.blitzed.org * 7 0
CBL ip4r cbl.abuseat.org 127.0.0.2 6 0
SBL ip4r sbl.spamhaus.org * 7 0
----- Original Message ----- From: "Joey Proulx" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Tuesday, March 08, 2005 12:44 PM Subject: Re: [Declude.JunkMail] Beginner configuration?
Thanks for all the help everyone. So far so good, users are noticing the improvement. I added sniffer to the arsenal earlier today, and it's amazing how much more it's picking up. VERY VERY few false positives at all in the first four days of my trial with Declude/Sniffer.
However, I added a few more DNSBLs that one of you suggested last week. My global.cfg now looks like this:
#========================================= ADVANCED OPTIONS =================================
LOOSENSPAMHEADERS ON
CONSOLE ON
#IPBYPASS 192.0.2.25
HOP 0 #HOPHIGH 1
#DNS 127.0.0.1
HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT
CATCHALLMAILS catchallmails x x 0 0 NOLEGITCONTENT nolegitcontent x x 0 -5 IPNOTINMX ipnotinmx x x 0 -3
#========================================= WHITELISTS =======================================
#WHITELIST HABEAS #AUTOWHITELIST ON PREWHITELIST ON WHITELIST AUTH
# ----- Domain Example ----- WHITELIST FROM @declude.com WHITELIST FROM @munis.com WHITELIST FROM @trg.com WHITELIST FROM @winnacunnet.k12.nh.us
# ----- User Example ----- WHITELIST FROM [EMAIL PROTECTED]
# ----- TO Example ----- #WHITELIST TO postmaster@ #WHITELIST TO abuse@
# ----- SAU IPS -----
#SAU AND HAMPTON WHITELIST IP 207.228.220. WHITELIST IP 172.21.21.
#SEABROOK WHITELIST IP 70.88.195.41
#HFALLS WHITELIST IP 24.128.32.179
#SOHAM WHITELIST IP 69.164.74.209
#========================================= BLACKLISTS =======================================
#BLACKLIST fromfile [path]\Filters\blacklist.txt x 10 0
#BLACKIP ipfile [path]\Filters\blackip.txt x 10 0
#========================================= RBL IP4R TESTS ==========================================
# 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions.
# 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address).
# 3. For type ip4r, 'matchstring' is the string to look for, or "*" for anything.
XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0
UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 4 0
UCEPROTECT-ALL ip4r dnsbl-1.uceprotect.net 127.0.0.2 1 0
SENDERDB-BLACK ip4r pub.senderdb.net 127.0.0.2 8 0
SENDERDB-SUSPICIOUS ip4r pub.senderdb.net 127.0.0.4 2 0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 9 0
MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 8 0
AHBL ip4r dnsbl.ahbl.org * 6 0
BLITZEDALL ip4r opm.blitzed.org * 7 0
CBL ip4r cbl.abuseat.org 127.0.0.2 6 0
DSBL ip4r list.dsbl.org * 6 0
ORDB ip4r relays.ordb.org * 5 0
SBL ip4r sbl.spamhaus.org * 7 0
SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0
SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0
SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0
SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0
SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 4 0
#SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0
SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 5 0
SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0
SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 4 0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 7 0
#MTLDB ip4r mtldb.declude.com 127.0.0.2 3 0
#BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
#ADDITIONAL USED RBL IP4R TESTS
#FIVETENSRC ip4r blackholes.five-ten-sg.com 127.0.0.2 2 0
#JAMMDNSBL ip4r dnsbl.jammconsulting.com 127.0.0.2 2 0
#========================================= RHBSL TESTS ==========================================
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0
#NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0
#NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1 0
#========================================= OTHER TESTS ==========================================
BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACE cmdspace x x 8 0 COMMENTS comments x x 7 0 HELOBOGUS helovalid x x 4 0 MAILFROM envfrom x x 12 0 PERCENT percent x x 10 0 REVDNS revdnsexists x x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFFAIL spffail x x 3 0 #SPFPASS spfpass x x -3 0
#BCC bcc 20 x 5 0 NONENGLISH nonenglish x x 3 0 #SUBJECTCHARS subjectchars 50 x 0 0 #SUBJECTSPACES subjectspaces 12 x 5 0
#=========================================== FILTERS ===============================================
#SUBJECT filter [path]\Filters\Subject.txt x 0 0
#WORD filter [path]\Declude\Filters\Word.txt x 0 0
#========================================= 3RD PARTY =============================================
SNIFFER external nonzero "D:\IMail\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7" 10 0
#SPAMCHK external nonzero "[path]\Spamchk\spamchk.exe" 1 0
#========================================= TRIGGERS ==============================================
WEIGHT1014 weightrange x x 10 14 WEIGHT1519 weightrange x x 15 19 WEIGHT20 weight x x 20 0
As for actions, I am currently holding 10-14, redirecting 15-19, and deleting >20. Now this seemed to work great before, but now that I added a few more DNSBLs, my scores are much higher obviously. I'm curious if this is a BAD thing, or if it just confirms that if a message is on several blacklists, it SHOULD have a high score and be deleted. Thoughts on this? I basically guessed on the weights for the top 9 blacklists that I added manually...
Thanks.
Joey
At 11:34 PM 3/4/2005, you wrote:Evan.
It is my understanding that is a global command and is only supported in the
global.cfg file.
Darrell
-------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG
Integration, and Log Parsers.
----- Original Message -----
From: "Evans Martin" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Friday, March 04, 2005 10:17 PM
Subject: RE: [Declude.JunkMail] Beginner configuration?
Does LOOSENSPAMHEADERS ON have to go in the global.cfg? What if I want to
do this for one domain but not for others? Is there any way to accomplish
this?
Thanks, Evans Martin
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
>> > [EMAIL PROTECTED] On Behalf Of Darrell >> > ([EMAIL PROTECTED])
> Sent: Friday, March 04, 2005 8:17 AM
> To: Declude.JunkMail@declude.com
> Subject: Re: [Declude.JunkMail] Beginner configuration?
>
> Joey,
>
> Declude is very effective when tweaked. Not to mention the default
> global.cfg ships without all of the RBL's that most of us use (XBL, >
UCE,
> MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties > which
> are
> very effective at catching spam like like invURIBL and Message > Sniffer.
> Both of those applications have trial versions.
>
> Are you still using the default scale? Since you have been working >
with
> your global.cfg you might want to post it to the list for us to
look > over
> it
> and see what you have done so far as to make suggestions.
>
> For your clients that you are not in control of I would imagine
that > you
> know the ip blocks they come from or the firewall ip that they are >
behind
> that. You can whitelist that ip so that them failing the cmdspace > will
> not
> be a factor. CMDSPACE is very effective but direct connects from >
clients
> using outlook will set that off.
>
> For SPAMHEADERS I use "LOOSENSPAMHEADERS ON" this relaxes the
> spamheaders
> test so that it does not trigger on missing message ID emails.
>
> Hope that helps,
> Darrell
>
------------------------------------------------------------------------
> Check out http://www.invariantsystems.com for utilities for Declude > And
> Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration,
> MRTG
> Integration, and Log Parsers.
>
>
>
> Joey Proulx writes:
>
> > Hello,
> >
> > Just downloaded the demo version of Junkmail Pro, and I was curious
> about
> > the basic setup. For the last two days I've monitored and
tweaked > > and
> > held and redirected and spent hours upon hours looking over the > >
junkmail
> > setup and rules and whatnot. I'm wondering if I'm reinventing the
> wheel.
> > I work for a school district with a big spam problem, but as any
of > > you
> in
> > gov't know, if I tell them we should buy something I need to
make > > sure
> it
> > works. I was just wondering if there are any tried and true
setups > > that
> > any of you are using to cut down on the spam. I'm seeing that this
> system
> > works, but I'm also still running the built-in Imail filter, and > > I've
> seen
> > quite a few messages that get caught by Imail, but have a
Declude > > score
> of
> > 0, that should NOT have made it through. Do you all still run the
> builtin
> > Imail spam as well? Any filters I should definitely setup?
> >
> > I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID > >
header)
> > from some local clients (I don't control all my clients, so I don't
> think
> > I can make them authenticate). Should I do away with these tests, > > or
> can
> > I fix these two issues on the server side?
> >
> > Thanks for all your help.
> >
> > _____________________________
> > Joey Proulx
> > SAU #21 Technology Support Staff
> > 2 Alumni Drive
> > Hampton, NH 03842
> > (603) 926-8992, ext 115
> > [EMAIL PROTECTED]
> >
> >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
--- [This E-mail scanned for viruses by Declude Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
