A couple of quick suggestions:
You are double-scoring here:
SBL ip4r sbl-xbl.spamhaus.org * 28 0
SPAMHAUS ip4r sbl.spamhaus.org 127.0.0.2 25 0
The XBL wholly incorporates data from three highly-trusted DNSBL sources:
- the CBL (Composite Block List) from cbl.abuseat.org
- the BOPM (Blitzed Open Proxy Monitor) from opm.blitzed.org
- the NJABL open proxy IPs list from www.njabl.org.
and
MAILPOLICE-BLOCK incorporates both of the mailpolice lists
block.rhs.mailpolice.com - consolidated list of bulk-senders, pornographic,
and fraud sites
one less DNS call
----- Original Message -----
From: "Harry Vanderzand" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Tuesday, October 11, 2005 8:58 AM
Subject: [Declude.JunkMail] declude 3.05.5, Invuribl & sniffer
I think I have finally got my server improved to the point where it is
running smoothly and spam is getting caught to the level I have been used
to. (If not better)
It has been a combination of find the right declude.cfg settings for my
hardware (dual xeon 3.4 ...) and also implementing Invuribl to catch this
new wave of SPAM that came out at the same time we were all switching to
3.05.5. I set up the trial of invuribl and found it a worthwhile addition
so I will be acquiring a licence.
As Invuribl takes care of some of the tests that pre-existed in my
global.cfg I would not mind seeing a global.cfg file that has been tuned
for
invuribl and sniffer. Sniffer is NOT running in persistent mode as that I
cannot get going (everything starts backlogging)
As I know many of you are into this tuning exercise I will include my
varies
setup files, global.cfg followed by invuribl.exe.config and declude.cfg.
Any tuning assistance will be greatly appreciated.
Thank you
GLOBAL.CFG:
#
# Declude JunkMail configuration file
#
PIDDEBUG OFF
CODE XXXXXXXX
# The "####" in the LOGFILE option gets replaced with the month/date with
v1.11 and higher
LOGFILE declude\dec####.log
LOGLEVEL LOW
HOP 0
#HOPHIGH 1
LOG_OK NONE
#
# Below are some advanced options
#
STOPPROCESSINGONFIRSTDELETE ON
CONSOLE OFF
HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT
XSENDER ON
XSPOOLNAME ON
XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.
XINHEADER X-Note: Spam Tests Failed: %TESTSFAILEDWITHWEIGHTS%
XINHEADER X-Note: REMOTEIP: %REMOTEIP%
XINHEADER X-Note: REVDNS: %REVDNS%
XINHEADER X-Note: FROM: %MAILFROM%
XINHEADER X-Note: TO: %RECIPHOST%
XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%]
XOUTHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%]
#XINHEADER X-Country-Chain: %COUNTRYCHAIN%
#XOUTHEADER X-Note: This E-mail was scanned by Declude JunkMail
(www.declude.com) for spam.
#IPBYPASS 127.0.0.1
#XOUTHEADER Organization: inTown Internet
#WHITELIST HABEAS
WHITELIST AUTH
#
# Definitions of the tests to use (do not edit unless you know what you
are
doing).
# These must come before the actions.
#
# First is the name of the check, then the type of check (ip4r is a DNS
lookup using
# the reverse of the IP address).
#
# For type ip4r, 'matchstring' is the string to look for, or "*" for
anything.
#
SPFFAIL spffail x x 3 0
AHBL ip4r dnsbl.ahbl.org * 5
0
DSBL ip4r list.dsbl.org * 8
0
ORDB ip4r relays.ordb.org * 5
0
SBL ip4r sbl-xbl.spamhaus.org * 28
0
SBBL ip4r sbbl.they.com 127.0.0.2 4 0
SOLID ip4r dnsbl.solid.net 127.0.0.2 5 0
EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl 127.0.0.2 7
0
SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 8
0
SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 8
0
SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 8
0
SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 7
0
SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 7
0
SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 7
0
SORBS-BLOCK ip4r dnsbl.sorbs.net 127.0.0.8 7
0
SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 7
0
SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 3
0
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -20
0
BOGUSMX rhsbl bogusmx.rfc-ignorant.org 127.0.0.8 5 0
DSBLMULTI ip4r multihop.dsbl.org 127.0.0.2 4 0
NJABL-DYNABLOCK ip4r dynablock.njabl.org 127.0.0.3 8
0
NJABL-RELAYS ip4r dnsbl.njabl.org 127.0.0.2 7
0
NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 5
0N
NJABL-MULTI ip4r dnsbl.njabl.org 127.0.0.5 7
0
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 25
0
EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 25
0
SPAMHAUS ip4r sbl.spamhaus.org 127.0.0.2 25
0
FIVETEN-SPAM ip4r blackholes.five-ten-sg.com 127.0.0.2
5 0
FIVETEN-BULK ip4r blackholes.five-ten-sg.com 127.0.0.4
3 0
FIVETEN-MULTISTAGE ip4r blackholes.five-ten-sg.com 127.0.0.5
3 0
FIVETEN-SPAMSUPPORT ip4r blackholes.five-ten-sg.com 127.0.0.7
3 0
FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9
3 0
MXRATE-BLOCK ip4r pub.mxrate.net
127.0.0.2 3 0
UCEPROTECT-LEVEL1 ip4r dnsbl-1.uceprotect.net *
3 0
UCEPROTECT-LEVEL2- ip4r dnsbl-2.uceprotect.net *
3 0
WHOIS-BOGONS-DYNA ip4r combined-HIB.dnsiplists.completewhois.com
127.0.0.2 3 0
WHOIS-HIJACKED-DYNA ip4r combined-HIB.dnsiplists.completewhois.com
127.0.0.3 3 0
WHOIS-INVALID-DYNA ip4r combined-HIB.dnsiplists.completewhois.com
127.0.0.4 3 0
#endnew
DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 5
0
NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2
0
NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 1
0
MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 12
0
MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 12
0
DNSFRAUD rhsbl in.dnsbl.org 127.0.0.3 10
0
DNSILLEGAL rhsbl in.dnsbl.org 127.0.0.5 10
0
DNSPROMO rhsbl in.dnsbl.org 127.0.0.4 10
0
DYNHELO dynhelo x x 5 0
BADHEADERS badheaders x x 6 0
BASE64 base64 x x 5 0
CMDSPACE cmdspace x x 5 0
COMMENTS comments x x 6 0
HELOBOGUS helovalid x x 3 0
MAILFROM envfrom x x 10 0
#IPNOTINMX ipnotinmx x x 0 -1
PERCENT percent x x 11 0
REVDNS revdnsexists x x 5 0
ROUTING spamrouting x x 6 0
SPAMHEADERS spamheaders x x 6 0
SNIFFER external nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe
dky4t444qqpk69j6" 41 0
INV-URIBL external weight "D:\imail\invuribl\invuribl.exe %WEIGHT%
%REMOTEIP%" 0 0
FILTER-SUBJECT filter d:\IMail\Declude\FILTER-SUBJECT.txt x
0 0
BLACK fromfile d:\IMail\Declude\BLACKLIST.TXT x 20
0
# MYFILTER filter d:\IMail\Declude\myfilter.txt x
20 0
# SURBL filter d:\IMail\Declude\surbl\surbl.txt x
1 0
# IMFILTER filter d:\IMail\Declude\imfilter.txt x
0 0
WEIGHT10 weight x x 10 10
WEIGHT11 weight x x 11 11
WEIGHT12 weight x x 12 14
WEIGHT15 weight x x 15 18
WEIGHT19 weight x x 19 49
WEIGHT50 weight x x 50 0
CATCHALLMAILS catchallmails x x 0 0
INVURIBL:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!--For support email [EMAIL PROTECTED] -->
<!--License Key Required For invURIBL To Run-->
<add key="License_Key" value="XXXXXXXXXXXXX" />
<!--Enables the use of an exception file for domains that should be
skipped-->
<add key="Enable Exceptions File" value="true" />
<!--Path and Filename of the log file. If left blank the log file will
be generated in-->
<!--the same directory as the executable. If you have #### listed in
the file-->
<!--name it will be replaced with MMDD (Month and Day).-->
<add key="LogFile_Path" value="uribl-logfile####.txt" />
<!-- Options: NORMAL, HIGH, VERBOSE, NONE-->
<add key="Log_Mode" value="normal" />
<!-- If the passed in weight exceeds this value, invURIBL will exit
without -->
<!-- running any of the configured tests -->
<add key="SKIPWEIGHT" value="20" />
<!-- If the accumulated weight exceeds the value listed below invURIBL
will -->
<!-- return the MAXWEIGHT value -->
<add key="Enable_Max_Weight" value="true" />
<add key="MAXWEIGHT" value="20" />
<!-- If the accumulated weight is greater than zero and is less than
the
MINWEIGHT the MINWEIGHT value listed below will -->
<!-- be returned. Zero disables the MINWEIGHT Function -->
<add key="MINWEIGHT" value="10" />
<!-- invURIBL will exit when the first domain in either the URI or RBL
list. -->
<!-- If the domain is listed in the URI list the associated RBL lists
will be checked -->
<!-- as well before the application will exit -->
<add key="Stop_At_First_Match" value="false" />
<!-- Limit the number of URI Links checked. Setting this value to a
lower value will help performance -->
<!-- invURIBL will not count any of the links that are set as an
exception. -->
<add key="Max_URI_Links" value="20" />
<!--DNS_Server - The DNS Server that you want invURIBL to use for all
of
its DNS based lookups-->
<add key="DNS_Server" value="216.16.233.10" />
<!--DNS Server Timeout: Number of seconds that invURIBL will wait for a
response from the DNS Server (Beta 5)-->
<add key="DNS_Server_Timeout" value="1" />
<!--Max_Message_Size: If message size exceeds the amount specified
below
invURIBL will not process the message-->
<!--The value below is specified in Kbytes. 1000 = 1MB, A value of zero
disables this feature-->
<add key="Max_Message_Size" value="300" />
<!-- Program_Timeout: If the program runs for longer than the time
specified below (in seconds) invURIBL -->
<!-- Will Attempt to exit at the first available spot and return the
current weight -->
<add key="Program_Timeout" value="20" />
<!-- This is the URI Blacklist That The URI Will Be Checked Against -->
<add key="URIBL_List1" value="multi.surbl.org" />
<!-- Weight added to the result code or custom bitmask total. -->
<add key="URIBL_Weight_List1" value="3" />
<!--Allows you to override the normal values for bitmasks for a custom
return weight-->
<add key="Enable_Custom_Bitmask_Values_URIBL_List1" value="true" />
<!--If using multi.surbl.org see http://www.surbl.org/lists.html#multi
for which lists correspond -->
<!--to which bitmask values -->
<!-- BitValue_2 = comes from sc.surbl.org -->
<!-- BitValue_4 = comes from ws.surbl.org -->
<!-- BitValue_8 = comes from phishing data source (labelled as [ph] in
multi) -->
<!-- BitValue_16 = comes from ob.surbl.org -->
<!-- BitValue_32 = comes from ab.surbl.org -->
<!-- BitValue_64 = comes from jp data source (labelled as [jp] in
multi)
-->
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List1" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List1" value="7" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List1" value="2" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List1" value="5" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List1" value="3" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List1" value="7" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List1" value="10" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List1" value="0" />
<!--URI LIST 2-->
<add key="URIBL_List2" value="multi.uribl.com" />
<add key="URIBL_Weight_List2" value="0" />
<!-- BitValue_2 = comes from black.uribl.org -->
<!-- BitValue_4 = comes from grey.uribl.org -->
<!-- BitValue_8 = comes from red.uribl.org -->
<add key="Enable_Custom_Bitmask_Values_URIBL_List2" value="true" />
<add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="7" />
<add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="2" />
<add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" value="0" />
<add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" value="0" />
<!--Enables the checking of the URI's name servers against an RBL. -->
<!--If the name servers are listed in the RBL the defined weight will
-->
<!--be added. You also have an option to skip looking up the
nameservers -->
<!--if the URI is already listed in one of the URI lists-->
<!--Max_Name_servers_To_Check - Sets the number of name servers to
check. If set to zero -->
<!--all name servers returned from the DNS query will be checked-->
<add key="Enable_URI_Name_Server_Check" value="true" />
<add key="Skip_Check_If_URI_Listed_In_URI_List" value="false" />
<add key="Name_Server_RBL" value="sbl.spamhaus.org" />
<add key="Name_Server_Weight" value="5" />
<add key="Max_Name_Servers_To_Check" value="3" />
<!-- If enabled URI's will be resolved to their "A" Records.-->
<add key="ENABLE_URI_IP_LOOKUPS_IN_RBLS" value="true" />
<!--RBLx Specifies a RBL to lookup the resolved URI's "A" Record
Against
-->
<!--WEIGHT_RBLx Specifies the weight that will be added if the IP
Address is listed -->
<!--Bitmask_Skip_Options_RBLx - Bitmask value that allows you to skip
the associated RBL check if the URI -->
<!--is listed in the URI list or in the name server list. Values: 0 -
no
skipping will occur. 1 - Skip RBL -->
<!--check if URI was listed in a URI list. 2 - Skip RBL Check if URI's
name servers were listed in the name -->
<!--server RBL check. 3 - Skip the RBL check if either the URI is
listed in the URI list OR if the URI's name server -->
<!--was listed in the name server RBL. (Bitmask Skip RC 1)-->
<add key="RBL1" value="sbl.spamhaus.org" />
<add key="Bitmask_Skip_Options_RBL1" value="2" />
<add key="WEIGHT_RBL1" value="5" />
<add key="RBL2" value="cn.countries.nerd.dk" />
<add key="Bitmask_Skip_Options_RBL2" value="0" />
<add key="WEIGHT_RBL2" value="3" />
<add key="RBL3" value="kr.countries.nerd.dk" />
<add key="Bitmask_Skip_Options_RBL3" value="0" />
<add key="WEIGHT_RBL3" value="3" />
<add key="RBL4" value="ru.countries.nerd.dk" />
<add key="Bitmask_Skip_Options_RBL4" value="0" />
<add key="WEIGHT_RBL4" value="3" />
<!--Enables the checking of the resolved URI's IP address against
Senderbase -->
<!--If the IP addresses daily magnitude exceeds the monthly magnitude
by
the defined threshold -->
<!--the defined weight will be added (Beta 4)-->
<add key="Enable_URI_Senderbase_Magnitude_Check" value="false" />
<add key="URI_Senderbase_Magnitude_Threshold" value="50" />
<add key="URI_Senderbase_Magnitude_Weight" value="0" />
<!--Enables the checking of the remote mail servers IP address against
Senderbase -->
<!--If the remote mail servers IP addresses daily magnitude exceeds the
monthly magnitude -->
<!-- by the defined threshold the defined weight will be added (Beta
4)-->
<add key="Enable_RemoteMailServer_Senderbase_Magnitude_Check"
value="false" />
<add key="RemoteMailServer_Senderbase_Magnitude_Threshold" value="50"
/>
<add key="RemoteMailServer_Senderbase_Magnitude_Weight" value="0" />
</appSettings>
</configuration>
DECLUDE.CFG
threads 20
waitformail 500
waitforthreads 1500
waitbetweenthreads 100
concatetelogsthreshold 10
concatetelogs
Harry Vanderzand
inTown Internet & Computer Services
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
