Darrell would be a better answerer of this question:
Speed is directly dependent on the number of URIs in the email.
The runtime for most of my messages is about 1 to 2 seconds.
It tends to run longer on some ham messages with lots of links.
The SKIPWEIGHT and MAXWEIGHT options can help cut down on the scanning. A
lot of blatant spam for me gets bypassed by invuribl with the SKIPWEIGHT.
You can also cut out on processing with the senderipwhitelist file which
will skip scanning from the IPs/CIDRs listed.
----- Original Message ----- From: "Keith Johnson"
<[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Wednesday, July 27, 2005 10:16 AM
Subject: RE: [Declude.JunkMail] RBL's becoming worthless...
Scott,
What type of speed are you getting from using the invuribl? We
take in/out well over 70K emails per day on each server, 1 of them takes
in/out 150K. As I understand it, it is very CPU intensive. Thanks for
the aid.
Keith
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Wednesday, July 27, 2005 9:45 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] RBL's becoming worthless...
-Marcus:
Here's my invuribl config file...
I add points for being on various URI lists up to a max of 200.
Subject tag at 100, hold at 200, delete at 300:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--License Key Required For invURIBL To Run-->
<add key="License_Key" value="mykey" />
<!--Enables the use of an exception file for domains that should be
skipped-->
<add key="Enable Exceptions File" value="true" />
<!--Path and Filename of the log file. If left blank the log file
will be generated in-->
<!--the same directory as the executable. If you have #### listed
in the file-->
<!--name it will be replaced with MMDD (Month and Day).-->
<add key="LogFile_Path" value="invuribl-logfile####.txt" />
<!-- Options: NORMAL, HIGH, VERBOSE, NONE-->
<add key="Log_Mode" value="HIGH" />
<!-- If the passed in weight exceeds this value, invURIBL will exit
without -->
<!-- running any of the configured tests -->
<add key="SKIPWEIGHT" value="500" />
<!-- If the accumulated weight exceeds the value listed below
invURIBL will -->
<!-- return the MAXWEIGHT value -->
<add key="Enable_Max_Weight" value="true" />
<add key="MAXWEIGHT" value="200" />
<!-- invURIBL will exit when the first domain in either the URI or
RBL list. -->
<!-- If the domain is listed in the URI list the associated RBL
lists will be checked -->
<!-- as well before the application will exit -->
<add key="Stop_At_First_Match" value="true" />
<!--DNS Server Timeout: Number of seconds that invURIBL will wait
for a response from the DNS Server (Beta 5)-->
<add key="DNS_Server_Timeout" value="2" />
<!-- This is the URIBL That The Domains Will Be Checked Against -->
<add key="URIBL_List1" value="multi.surbl.org" />
<!-- Will return the last octet as the weight. If Custom Bitmask
Values Are Enabled-->
<!-- their values will take precedence over this setting -->
<!-- <add key="URIBL_Return_Result_As_Weight" value="false" /> -->
<!-- Weight added to the result code or custom bitmask total. -->
<add key="URIBL_Weight_List1" value="0" />
<!--Allows you to override the normal values for bitmasks for a
custom return weight-->
<add key="Enable_Custom_Bitmask_Values_URIBL_List1" value="true" />
<!--If using multi.surbl.org see
http://www.surbl.org/lists.html#multi
for which lists correspond -->
<!--to which bitmask values -->
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List1" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List1" value="50" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List1" value="100" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List1" value="50" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List1" value="0" />
<!--URI LIST 2-->
<add key="URIBL_List2" value="xs.surbl.org" />
<add key="URIBL_Weight_List2" value="50" />
<add key="Enable_Custom_Bitmask_Values_URIBL_List2" value="false" />
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" value="0" />
<!--URI LIST 3-->
<add key="URIBL_List3" value="multi.uribl.com" />
<add key="URIBL_Weight_List3" value="0" />
<add key="Enable_Custom_Bitmask_Values_URIBL_List3" value="true" />
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List3" value="50" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List3" value="0" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List3" value="0" />
<!--Enables the checking of the URI's name servers against an RBL.
-->
<!--If the name servers are listed in the RBL the defined weight
will -->
<!--be added. You also have an option to skip looking up the
nameservers -->
<!--if the URI is already listed in one of the URI lists (Beta 5)-->
<add key="Enable_URI_Name_Server_Check" value="true" />
<add key="Skip_Check_If_URI_Listed_In_URI_List" value="false" />
<add key="Name_Server_RBL" value="sbl.spamhaus.org" />
<add key="Name_Server_Weight" value="75" />
<!-- If enabled URI's will be resolved to their "A" Records.-->
<add key="ENABLE_URI_IP_LOOKUPS_IN_RBLS" value="true" />
<!--RBLx Specifies a RBL to lookup the resolved URI's "A" Record
Against -->
<!--WEIGHT_RBLx Specifies the weight that will be added if the IP
Address is listed -->
<!--Bitmask_Skip_Options_RBLx - Bitmask value that allows you to
skip the associated RBL check if the URI -->
<!--is listed in the URI list or in the name server list. Values: 0
- no skipping will occur. 1 - Skip RBL -->
<!--check if URI was listed in a URI list. 2 - Skip RBL Check if
URI's name servers were listed in the name -->
<!--server RBL check. 3 - Skip the RBL check if either the URI is
listed in the URI list OR if the URI's name server -->
<!--was listed in the name server RBL. (Bitmask Skip RC 1)-->
<add key="RBL1" value="sbl.spamhaus.org" />
<add key="Bitmask_Skip_Options_RBL1" value="2" />
<!--WEIGHT_RBLx Specifies the weight that will be added if the IP
Address is listed -->
<add key="WEIGHT_RBL1" value="75" />
<add key="Bitmask_Skip_Options_RBL2" value="0" />
<add key="Bitmask_Skip_Options_RBL2" value="2" />
<add key="RBL2" value="cn-kr.blackholes.us" />
<add key="WEIGHT_RBL2" value="75" />
<add key="Bitmask_Skip_Options_RBL3" value="0" />
<add key="Bitmask_Skip_Options_RBL3" value="2" />
<add key="RBL3" value="russia.blackholes.us" />
<add key="WEIGHT_RBL3" value="75" />
<!--Enables the checking of the resolved URI's IP address against
Senderbase -->
<!--If the IP addresses daily magnitude exceeds the monthly
magnitude by the defined threshold -->
<!--the defined weight will be added -->
<add key="Enable_URI_Senderbase_Magnitude_Check" value="false" />
<add key="URI_Senderbase_Magnitude_Threshold" value="50" />
<add key="URI_Senderbase_Magnitude_Weight" value="0" />
<!--Enables the checking of the remote mail servers IP address
against Senderbase -->
<!--If the remote mail servers IP addresses daily magnitude exceeds
the monthly magnitude -->
<!-- by the defined threshold the defined weight will be added -->
<add key="Enable_RemoteMailServer_Senderbase_Magnitude_Check"
value="false" />
<add key="RemoteMailServer_Senderbase_Magnitude_Threshold"
value="50" />
<add key="RemoteMailServer_Senderbase_Magnitude_Weight" value="0" />
</appSettings>
</configuration>
----- Original Message -----
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Tuesday, July 26, 2005 5:37 PM
Subject: RE: [Declude.JunkMail] RBL's becoming worthless...
Chuck,
Here some numbers from my side:
100k messages in the last 7 days
50.5% identified as legit, 49.5% as spam (viruses was filtered out
before)
The best IP4R-based tests was
CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP)
So they catch less then 50% of incoming spam without creating a
significant
number of false positives.
FIVETEN-SRC was able to catch 24% of spam but has also had FP's on
around
6%
of all processed messages.
A text-filter combining the results of different IP4R-based tests has
reached a catch rate of 36%. I consider it the current maximum that
can be
reached with IP4r-based tests by having a - let's say - moderate
number of
false positives.
INV-URIBL instead can catch 37% of all messages as spam and I must say
that
up to now I haven't had time to try improving the INV-URIBL
configfile.
(Any
suggestion is welcome!) It's also important that the number of FP's
for
this
test is near to zero.
SNIFFER was able to catch 47% of all spam messages but I must also say
that
there was a significant number of false positives (5%). Most of them
generated by SNIFFER-GENERAL and SNIFFER-RICH.
SPAMCHK has had correct results on around 45% of all messages, but
also
had
around 7% of FP's
Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%,
0.17%FP)
Due to Decludes weighting system and the combination of all this tests
I
can
see between 10 and 20 spam messages each month in my inbox, by
catching
more
then 300 spams each day.
Markus
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Tuesday, July 26, 2005 7:57 PM
To: Declude. JunkMail
Subject: [Declude.JunkMail] RBL's becoming worthless...
In the last several months we have seen large quantity of
spam coming from IP blocks that never seem to get listed on
any RBL. Spamcop is about the only one that picks some of
them up and once in awhile spamhaus. There was a block last
night that sent several hundred and sendbase.org showed they
had detected no email from that block.
The reason I bring this up is because when we first started
blocking spam I would say the blacklists would catch almost
90% so we relied heavily on the blacklist. With the
blacklists not being as effective we need to rely on other
tests like sniffer but that misses alot also.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be
found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
