That’s a good idea, so I looked at what I have in the config file: <!--URI LIST 2--> <add key="URIBL_List2" value="multi.uribl.com" /> <add key="URIBL_Weight_List2" value="0" /> <!-- BitValue_2 = comes from black.uribl.org --> <!-- BitValue_4 = comes from grey.uribl.org --> <!-- BitValue_8 = comes from red.uribl.org --> <add key="Enable_Custom_Bitmask_Values_URIBL_List2" value="true" /> <add key="URI_Bitmask_BitValue_1_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_2_Weight_URIBL_List2" value="7" /> <add key="URI_Bitmask_BitValue_4_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_8_Weight_URIBL_List2" value="2" /> <add key="URI_Bitmask_BitValue_16_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_32_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_64_Weight_URIBL_List2" value="0" /> <add key="URI_Bitmask_BitValue_128_Weight_URIBL_List2" value="0" />
I’m not an expert, but this seems to say that showing up in the black, grey, or red lists gets you scores of 7, 0 2 corresponding to bitmasks results of 127.0.0.2, 127.0.0.4, and 127.0.0.8. So then I went to the uribl.com web site to look up the definitions of these lists: ■black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added. ■grey.uribl.com - This lists contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE. This zone rebuilds several times a day as necessary. ■red.uribl.com - This list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk. >From this, I don’t understand why red would rate a score of 2 and grey a score >of 0. It seems to me that grey is in between black and red, and should >probably have a score of 3 or 4. In my system, that kind of score wouldn’t be >enough to cause the message to be treated as spam (my Declude threshold for >“ordinary email” is 5), but it would if combined with other failed tests. Any thoughts on this? Thanks, Ben From: Nick Hayer Sent: Tuesday, April 05, 2011 5:52 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you read the Inv-Uribl log file? maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm -------------------------------------------------------------------------------- From: "Imail Admin" <imailad...@bcwebhost.net> Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as "Clean": 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c0000100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
