Re: [Declude.JunkMail] How to add extra points to this

[Scott Fisher]

One problem with a combo on INVURIBL and SNIFFER is that they may both be detecting on the same thing the URL links. I find it best to use combos on different elements. ----- Original Message ----- From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Monday, March 06, 2006 5:17 PM Subject: RE: [Declude.JunkMail] How to add extra points to this Hi Andrew,   I was thinking specifically of a combo filter of both SNIFFER and INVURIBL and then adding keywords. The current campaign of one or two munged words and then news in the subject line is annoying me since it seems to be able to slip through in the early stages. I have already create a combo filter that helps a bunch, DUL space and then adding some more for SNF and URI.   I suppose adding a combo of SNF and URI by themselves could also work.   Goran Jovanovic Omega Network Solutions   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 6:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this   "I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM."   Goran, I suggest that making a "combo" test that awards more weight when both Message Sniffer and your URI external test trigger will be a better value for you, as it will be far more wide-ranging than merely adding keywords for the current campaign.   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 1:31 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result.   Our favorite R. Scott Perry has added a little summary at the top of DNSSTUFF when you look up an IP in the SPAM databases. I just did a cut and paste from there. I only test the combined sbl-xbl.spamhaus.org zone.   I may decide to go to adding weight for Countries but I find that a bit risky. I have many different customers.   I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM.   Thanks   Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 3:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this   Message Sniffer plus any URI blacklist test is a powerful and reliable combination.  You could add keywords to make it an even stronger weight if you wanted to maintain that.   You could also implement the COUNTRY filter and give a little nudge weight for CO (Colombia) if you think you get very little spam from there; if you do, I'd suggest adding Brazil, Peru and Venezuela in there too.   And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result.   Scott recently posted to the list a whole handful of "combo" tests that he finds reliable.  If you're not keeping messages from this list, you might want to check the web archive for his posting(s).   Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 7:36 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to add extra points to this Hi   Here are the headers from a bunch of SPAM that is slipping through.   Subject:    Re: Para7mcy news To:         [EMAIL PROTECTED] From:       [EMAIL PROTECTED] REV DNS:    corporativos244254-29.etb.net.co Date:       06 Mar 2006 at 02:42:18 Tests Failed:     IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight:           23 Spool File: De7c016fa0086126d.smd   To view the E-mail, just click the attachment.   Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net   (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: <[EMAIL PROTECTED]> Reply-To: "Pallav Jenkins" <[EMAIL PROTECTED]> From: "Pallav Jenkins" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative;       boundary="----=_NextPart_000_0001_01C640C7.764CC4D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106   As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete).   I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia   I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot   Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP   Arrgh – it was listed a little while after this message went through.   In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists?   I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points).   Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.