-Marcus:
Here's my invuribl config file...
I add points for being on various URI lists up to a max of 200.
Subject tag at 100, hold at 200, delete at 300:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--License Key Required For invURIBL To Run-->
<add key="License_Key" value="mykey" />
<!--Enables the use of an exception file for domains that should be
skipped-->
<add key="Enable Exceptions File" value="true" />
<!--Path and Filename of the log file. If left blank the log file will
be generated in-->
<!--the same directory as the executable. If you have #### listed in
the file-->
<!--name it will be replaced with MMDD (Month and Day).-->
<add key="LogFile_Path" value="invuribl-logfile####.txt" />
<!-- Options: NORMAL, HIGH, VERBOSE, NONE-->
<add key="Log_Mode" value="HIGH" />
<!-- If the passed in weight exceeds this value, invURIBL will exit
without -->
<!-- running any of the configured tests -->
<add key="SKIPWEIGHT" value="500" />
<!-- If the accumulated weight exceeds the value listed below invURIBL
will -->
<!-- return the MAXWEIGHT value -->
<add key="Enable_Max_Weight" value="true" />
<add key="MAXWEIGHT" value="200" />
<!-- invURIBL will exit when the first domain in either the URI or RBL
list. -->
<!-- If the domain is listed in the URI list the associated RBL lists
will be checked -->
<!-- as well before the application will exit -->
<add key="Stop_At_First_Match" value="true" />
<!--DNS Server Timeout: Number of seconds that invURIBL will wait for a
response from the DNS Server (Beta 5)-->
<add key="DNS_Server_Timeout" value="2" />
<!-- This is the URIBL That The Domains Will Be Checked Against -->
<add key="URIBL_List1" value="multi.surbl.org" />
<!-- Will return the last octet as the weight. If Custom Bitmask Values
Are Enabled-->
<!-- their values will take precedence over this setting -->
<!-- <add key="URIBL_Return_Result_As_Weight" value="false" /> -->
<!-- Weight added to the result code or custom bitmask total. -->
<add key="URIBL_Weight_List1" value="0" />
<!--Allows you to override the normal values for bitmasks for a custom
return weight-->
<add key="Enable_Custom_Bitmask_Values_URIBL_List1" value="true" />
<!--If using multi.surbl.org see http://www.surbl.org/lists.html#multi
for which lists correspond -->
<!--to which bitmask values -->
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List1" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List1" value="50" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List1" value="50" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List1" value="0" />
<!--URI LIST 2-->
<add key="URIBL_List2" value="xs.surbl.org" />
<add key="URIBL_Weight_List2" value="50" />
<add key="Enable_Custom_Bitmask_Values_URIBL_List2" value="false" />
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" value="0" />
<!--URI LIST 3-->
<add key="URIBL_List3" value="multi.uribl.com" />
<add key="URIBL_Weight_List3" value="0" />
<add key="Enable_Custom_Bitmask_Values_URIBL_List3" value="true" />
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List3" value="50" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List3" value="0" />
<!--Enables the checking of the URI's name servers against an RBL. -->
<!--If the name servers are listed in the RBL the defined weight
will -->
<!--be added. You also have an option to skip looking up the
nameservers -->
<!--if the URI is already listed in one of the URI lists (Beta 5)-->
<add key="Enable_URI_Name_Server_Check" value="true" />
<add key="Skip_Check_If_URI_Listed_In_URI_List" value="false" />
<add key="Name_Server_RBL" value="sbl.spamhaus.org" />
<add key="Name_Server_Weight" value="75" />
<!-- If enabled URI's will be resolved to their "A" Records.-->
<add key="ENABLE_URI_IP_LOOKUPS_IN_RBLS" value="true" />
<!--RBLx Specifies a RBL to lookup the resolved URI's "A" Record
Against -->
<!--WEIGHT_RBLx Specifies the weight that will be added if the IP
Address is listed -->
<!--Bitmask_Skip_Options_RBLx - Bitmask value that allows you to skip
the associated RBL check if the URI -->
<!--is listed in the URI list or in the name server list. Values: 0 - no
skipping will occur. 1 - Skip RBL -->
<!--check if URI was listed in a URI list. 2 - Skip RBL Check if URI's
name servers were listed in the name -->
<!--server RBL check. 3 - Skip the RBL check if either the URI is
listed in the URI list OR if the URI's name server -->
<!--was listed in the name server RBL. (Bitmask Skip RC 1)-->
<add key="RBL1" value="sbl.spamhaus.org" />
<add key="Bitmask_Skip_Options_RBL1" value="2" />
<!--WEIGHT_RBLx Specifies the weight that will be added if the IP
Address is listed -->
<add key="WEIGHT_RBL1" value="75" />
<add key="Bitmask_Skip_Options_RBL2" value="0" />
<add key="Bitmask_Skip_Options_RBL2" value="2" />
<add key="RBL2" value="cn-kr.blackholes.us" />
<add key="WEIGHT_RBL2" value="75" />
<add key="Bitmask_Skip_Options_RBL3" value="0" />
<add key="Bitmask_Skip_Options_RBL3" value="2" />
<add key="RBL3" value="russia.blackholes.us" />
<add key="WEIGHT_RBL3" value="75" />
<!--Enables the checking of the resolved URI's IP address against
Senderbase -->
<!--If the IP addresses daily magnitude exceeds the monthly magnitude by
the defined threshold -->
<!--the defined weight will be added -->
<add key="Enable_URI_Senderbase_Magnitude_Check" value="false" />
<add key="URI_Senderbase_Magnitude_Threshold" value="50" />
<add key="URI_Senderbase_Magnitude_Weight" value="0" />
<!--Enables the checking of the remote mail servers IP address against
Senderbase -->
<!--If the remote mail servers IP addresses daily magnitude exceeds the
monthly magnitude -->
<!-- by the defined threshold the defined weight will be added -->
<add key="Enable_RemoteMailServer_Senderbase_Magnitude_Check"
value="false" />
<add key="RemoteMailServer_Senderbase_Magnitude_Threshold" value="50" />
<add key="RemoteMailServer_Senderbase_Magnitude_Weight" value="0" />
</appSettings>
</configuration>
----- Original Message -----
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, July 26, 2005 5:37 PM
Subject: RE: [Declude.JunkMail] RBL's becoming worthless...
Chuck,
Here some numbers from my side:
100k messages in the last 7 days
50.5% identified as legit, 49.5% as spam (viruses was filtered out before)
The best IP4R-based tests was
CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP)
So they catch less then 50% of incoming spam without creating a
significant
number of false positives.
FIVETEN-SRC was able to catch 24% of spam but has also had FP's on around
6%
of all processed messages.
A text-filter combining the results of different IP4R-based tests has
reached a catch rate of 36%. I consider it the current maximum that can be
reached with IP4r-based tests by having a - let's say - moderate number of
false positives.
INV-URIBL instead can catch 37% of all messages as spam and I must say
that
up to now I haven't had time to try improving the INV-URIBL configfile.
(Any
suggestion is welcome!) It's also important that the number of FP's for
this
test is near to zero.
SNIFFER was able to catch 47% of all spam messages but I must also say
that
there was a significant number of false positives (5%). Most of them
generated by SNIFFER-GENERAL and SNIFFER-RICH.
SPAMCHK has had correct results on around 45% of all messages, but also
had
around 7% of FP's
Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%, 0.17%FP)
Due to Decludes weighting system and the combination of all this tests I
can
see between 10 and 20 spam messages each month in my inbox, by catching
more
then 300 spams each day.
Markus
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Tuesday, July 26, 2005 7:57 PM
To: Declude. JunkMail
Subject: [Declude.JunkMail] RBL's becoming worthless...
In the last several months we have seen large quantity of
spam coming from IP blocks that never seem to get listed on
any RBL. Spamcop is about the only one that picks some of
them up and once in awhile spamhaus. There was a block last
night that sent several hundred and sendbase.org showed they
had detected no email from that block.
The reason I bring this up is because when we first started
blocking spam I would say the blacklists would catch almost
90% so we relied heavily on the blacklist. With the
blacklists not being as effective we need to rely on other
tests like sniffer but that misses alot also.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be
found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
