Hi Todd, Note that the rulebase for the trial of Sniffer lags behind the latest definitions by a few days. That makes a huge difference in the capture rate when spam campaigns change as frequently as they have been doing lately. An up-to-date Sniffer rulebase generally captures 90-95% on our systems. So get and subscription and you can set up a program alias in IMail to update your sniffer rulebase when a new one is available. Pete has them up to about every 3 hours now, I believe.
I think it's time to start tweaking your weights. Out of the box gets maybe 80%, but with tweaking a number of us get over 99.5% capture rate with few false positives. That's 40 times less spam. Yes, whitelisting is bad due mainly to forging of addresses/domains. Negative weighting is much better. SPF is also a great way to combat forging of you can control what servers mail is sent from. Contact me off list and we can review your configs, but definitely get a sniffer subscription. Darin. ----- Original Message ----- From: "Todd Richards" <[EMAIL PROTECTED]> To: <declude.junkmail@declude.com> Sent: Thursday, November 02, 2006 7:38 PM Subject: [Declude.JunkMail] One step forward, ten back Hi Everyone - We are getting completely hammered by spam and I'm about at my wits end. A few weeks ago I added a 30-day trial of Message Sniffer and it doesn't seem to be doing any good. Today, I upgraded to the newest version of Declude. I "think" everything went ok. After reading through the documentation (again) I went through my global.cfg file and cleaned up some things that were questionable. For instance, we had several domains in the WHITELIST TO and WHITELIST FROM. From what I've read and heard through the lists, it's not a good idea to whitelist anything. In fact, earlier today I had some spam come through that was "from" a whitelisted domain so it just let it through. So I commented them out and planned to watch my spam account (instead of deleting I have caught messages sent to another account for review) to see the results. So... This happened about 5pm tonight. I went through a short spurt but in the last 90 minutes since then I alone have received over 150 spam messages. Before I made my changes tonight, that is about the number I would receive in one day (which is still too many). In one message, this was in the header. To me, it should have failed and been stopped. X-Declude-Scan: Incoming Score [39] at 17:59:29 on 02 Nov 2006 X-Declude-Fail: CBL [6], FIVETEN-SRC [4], SPAMCOP [7], REVDNS [8], ROUTING [2], SNIFFER [12], WEIGHT10 [10], WEIGHT14 [14], WEIGHT20 [20], WEIGHT20a [20] Does anyone have any suggestions to what I might be doing wrong, or what I should look at next? Would anyone (off-list) be willing to look at my config files and see if something is apparently wrong? Are there any sample files where a newbie might be able to see how others have theirs set up? I have been running Declude for over a year, and with the exception of some minor tweaks, it's pretty much running "out-of-the-box". For those who are interested, I'm running Imail 8.22 (with latest hotfix) on Windows 2000 server, as well as the Declude Suite, Message Sniffer, and inv-URBL 2.7. Thanks for any input or direction you can offer. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
