Re: [Declude.JunkMail] RBL's becoming worthless...
is listed -- !--Bitmask_Skip_Options_RBLx - Bitmask value that allows you to skip the associated RBL check if the URI -- !--is listed in the URI list or in the name server list. Values: 0 - no skipping will occur. 1 - Skip RBL -- !--check if URI was listed in a URI list. 2 - Skip RBL Check if URI's name servers were listed in the name -- !--server RBL check. 3 - Skip the RBL check if either the URI is listed in the URI list OR if the URI's name server -- !--was listed in the name server RBL. (Bitmask Skip RC 1)-- add key=RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_RBL1 value=2 / !--WEIGHT_RBLx Specifies the weight that will be added if the IP Address is listed -- add key=WEIGHT_RBL1 value=75 / add key=Bitmask_Skip_Options_RBL2 value=0 / add key=Bitmask_Skip_Options_RBL2 value=2 / add key=RBL2 value=cn-kr.blackholes.us / add key=WEIGHT_RBL2 value=75 / add key=Bitmask_Skip_Options_RBL3 value=0 / add key=Bitmask_Skip_Options_RBL3 value=2 / add key=RBL3 value=russia.blackholes.us / add key=WEIGHT_RBL3 value=75 / !--Enables the checking of the resolved URI's IP address against Senderbase -- !--If the IP addresses daily magnitude exceeds the monthly magnitude by the defined threshold -- !--the defined weight will be added -- add key=Enable_URI_Senderbase_Magnitude_Check value=false / add key=URI_Senderbase_Magnitude_Threshold value=50 / add key=URI_Senderbase_Magnitude_Weight value=0 / !--Enables the checking of the remote mail servers IP address against Senderbase -- !--If the remote mail servers IP addresses daily magnitude exceeds the monthly magnitude -- !-- by the defined threshold the defined weight will be added -- add key=Enable_RemoteMailServer_Senderbase_Magnitude_Check value=false / add key=RemoteMailServer_Senderbase_Magnitude_Threshold value=50 / add key=RemoteMailServer_Senderbase_Magnitude_Weight value=0 / /appSettings /configuration - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, July 26, 2005 5:37 PM Subject: RE: [Declude.JunkMail] RBL's becoming worthless... Chuck, Here some numbers from my side: 100k messages in the last 7 days 50.5% identified as legit, 49.5% as spam (viruses was filtered out before) The best IP4R-based tests was CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP) So they catch less then 50% of incoming spam without creating a significant number of false positives. FIVETEN-SRC was able to catch 24% of spam but has also had FP's on around 6% of all processed messages. A text-filter combining the results of different IP4R-based tests has reached a catch rate of 36%. I consider it the current maximum that can be reached with IP4r-based tests by having a - let's say - moderate number of false positives. INV-URIBL instead can catch 37% of all messages as spam and I must say that up to now I haven't had time to try improving the INV-URIBL configfile. (Any suggestion is welcome!) It's also important that the number of FP's for this test is near to zero. SNIFFER was able to catch 47% of all spam messages but I must also say that there was a significant number of false positives (5%). Most of them generated by SNIFFER-GENERAL and SNIFFER-RICH. SPAMCHK has had correct results on around 45% of all messages, but also had around 7% of FP's Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%, 0.17%FP) Due to Decludes weighting system and the combination of all this tests I can see between 10 and 20 spam messages each month in my inbox, by catching more then 300 spams each day. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 7:57 PM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
Re: [Declude.JunkMail] RBL's becoming worthless...
One more comment... The new Declude test HELO-DYNAMIC dynhelo x x 50 0 works almost as well as the HELOISIP external test. And it is built in. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, July 26, 2005 5:37 PM Subject: RE: [Declude.JunkMail] RBL's becoming worthless... Chuck, Here some numbers from my side: 100k messages in the last 7 days 50.5% identified as legit, 49.5% as spam (viruses was filtered out before) The best IP4R-based tests was CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP) So they catch less then 50% of incoming spam without creating a significant number of false positives. FIVETEN-SRC was able to catch 24% of spam but has also had FP's on around 6% of all processed messages. A text-filter combining the results of different IP4R-based tests has reached a catch rate of 36%. I consider it the current maximum that can be reached with IP4r-based tests by having a - let's say - moderate number of false positives. INV-URIBL instead can catch 37% of all messages as spam and I must say that up to now I haven't had time to try improving the INV-URIBL configfile. (Any suggestion is welcome!) It's also important that the number of FP's for this test is near to zero. SNIFFER was able to catch 47% of all spam messages but I must also say that there was a significant number of false positives (5%). Most of them generated by SNIFFER-GENERAL and SNIFFER-RICH. SPAMCHK has had correct results on around 45% of all messages, but also had around 7% of FP's Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%, 0.17%FP) Due to Decludes weighting system and the combination of all this tests I can see between 10 and 20 spam messages each month in my inbox, by catching more then 300 spams each day. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 7:57 PM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
Scott, What type of speed are you getting from using the invuribl? We take in/out well over 70K emails per day on each server, 1 of them takes in/out 150K. As I understand it, it is very CPU intensive. Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, July 27, 2005 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RBL's becoming worthless... -Marcus: Here's my invuribl config file... I add points for being on various URI lists up to a max of 200. Subject tag at 100, hold at 200, delete at 300: ?xml version=1.0 encoding=utf-8 ? configuration appSettings !--License Key Required For invURIBL To Run-- add key=License_Key value=mykey / !--Enables the use of an exception file for domains that should be skipped-- add key=Enable Exceptions File value=true / !--Path and Filename of the log file. If left blank the log file will be generated in-- !--the same directory as the executable. If you have listed in the file-- !--name it will be replaced with MMDD (Month and Day).-- add key=LogFile_Path value=invuribl-logfile.txt / !-- Options: NORMAL, HIGH, VERBOSE, NONE-- add key=Log_Mode value=HIGH / !-- If the passed in weight exceeds this value, invURIBL will exit without -- !-- running any of the configured tests -- add key=SKIPWEIGHT value=500 / !-- If the accumulated weight exceeds the value listed below invURIBL will -- !-- return the MAXWEIGHT value -- add key=Enable_Max_Weight value=true / add key=MAXWEIGHT value=200 / !-- invURIBL will exit when the first domain in either the URI or RBL list. -- !-- If the domain is listed in the URI list the associated RBL lists will be checked -- !-- as well before the application will exit -- add key=Stop_At_First_Match value=true / !--DNS Server Timeout: Number of seconds that invURIBL will wait for a response from the DNS Server (Beta 5)-- add key=DNS_Server_Timeout value=2 / !-- This is the URIBL That The Domains Will Be Checked Against -- add key=URIBL_List1 value=multi.surbl.org / !-- Will return the last octet as the weight. If Custom Bitmask Values Are Enabled-- !-- their values will take precedence over this setting -- !-- add key=URIBL_Return_Result_As_Weight value=false / -- !-- Weight added to the result code or custom bitmask total. -- add key=URIBL_Weight_List1 value=0 / !--Allows you to override the normal values for bitmasks for a custom return weight-- add key=Enable_Custom_Bitmask_Values_URIBL_List1 value=true / !--If using multi.surbl.org see http://www.surbl.org/lists.html#multi for which lists correspond -- !--to which bitmask values -- add key=URI_Bitmask_BitValue_1_Weight_URIBL_List1 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List1 value=0 / !--URI LIST 2-- add key=URIBL_List2 value=xs.surbl.org / add key=URIBL_Weight_List2 value=50 / add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=false / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / !--URI LIST 3-- add key=URIBL_List3 value=multi.uribl.com / add key=URIBL_Weight_List3 value=0 / add key=Enable_Custom_Bitmask_Values_URIBL_List3 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List3 value=50 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List3 value=0 / !--Enables the checking of the URI's name servers against an RBL. -- !--If the name servers are listed in the RBL the defined weight will -- !--be added. You also have an option to skip looking up the nameservers -- !--if the URI
Re: [Declude.JunkMail] RBL's becoming worthless...
Darrell would be a better answerer of this question: Speed is directly dependent on the number of URIs in the email. The runtime for most of my messages is about 1 to 2 seconds. It tends to run longer on some ham messages with lots of links. The SKIPWEIGHT and MAXWEIGHT options can help cut down on the scanning. A lot of blatant spam for me gets bypassed by invuribl with the SKIPWEIGHT. You can also cut out on processing with the senderipwhitelist file which will skip scanning from the IPs/CIDRs listed. - Original Message - From: Keith Johnson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, July 27, 2005 10:16 AM Subject: RE: [Declude.JunkMail] RBL's becoming worthless... Scott, What type of speed are you getting from using the invuribl? We take in/out well over 70K emails per day on each server, 1 of them takes in/out 150K. As I understand it, it is very CPU intensive. Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, July 27, 2005 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RBL's becoming worthless... -Marcus: Here's my invuribl config file... I add points for being on various URI lists up to a max of 200. Subject tag at 100, hold at 200, delete at 300: ?xml version=1.0 encoding=utf-8 ? configuration appSettings !--License Key Required For invURIBL To Run-- add key=License_Key value=mykey / !--Enables the use of an exception file for domains that should be skipped-- add key=Enable Exceptions File value=true / !--Path and Filename of the log file. If left blank the log file will be generated in-- !--the same directory as the executable. If you have listed in the file-- !--name it will be replaced with MMDD (Month and Day).-- add key=LogFile_Path value=invuribl-logfile.txt / !-- Options: NORMAL, HIGH, VERBOSE, NONE-- add key=Log_Mode value=HIGH / !-- If the passed in weight exceeds this value, invURIBL will exit without -- !-- running any of the configured tests -- add key=SKIPWEIGHT value=500 / !-- If the accumulated weight exceeds the value listed below invURIBL will -- !-- return the MAXWEIGHT value -- add key=Enable_Max_Weight value=true / add key=MAXWEIGHT value=200 / !-- invURIBL will exit when the first domain in either the URI or RBL list. -- !-- If the domain is listed in the URI list the associated RBL lists will be checked -- !-- as well before the application will exit -- add key=Stop_At_First_Match value=true / !--DNS Server Timeout: Number of seconds that invURIBL will wait for a response from the DNS Server (Beta 5)-- add key=DNS_Server_Timeout value=2 / !-- This is the URIBL That The Domains Will Be Checked Against -- add key=URIBL_List1 value=multi.surbl.org / !-- Will return the last octet as the weight. If Custom Bitmask Values Are Enabled-- !-- their values will take precedence over this setting -- !-- add key=URIBL_Return_Result_As_Weight value=false / -- !-- Weight added to the result code or custom bitmask total. -- add key=URIBL_Weight_List1 value=0 / !--Allows you to override the normal values for bitmasks for a custom return weight-- add key=Enable_Custom_Bitmask_Values_URIBL_List1 value=true / !--If using multi.surbl.org see http://www.surbl.org/lists.html#multi for which lists correspond -- !--to which bitmask values -- add key=URI_Bitmask_BitValue_1_Weight_URIBL_List1 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List1 value=0 / !--URI LIST 2-- add key=URIBL_List2 value=xs.surbl.org / add key=URIBL_Weight_List2 value=50 / add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=false / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / !--URI LIST 3-- add key=URIBL_List3 value=multi.uribl.com / add key=URIBL_Weight_List3 value=0 / add key=Enable_Custom_Bitmask_Values_URIBL_List3 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List3 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List3 value=50
Re: [Declude.JunkMail] RBL's becoming worthless...
On my system I process about 120K messages a day. The system is a dual xeon 2.8ghz 1GB of ram. The servers CPU usage throughout the day ranges from 30% - 70%. Their are spikes at 100% but they are short lived and correlated to a rush of incoming mail. The average scan time a message takes going through invURIBL on my system averages around 1 sec. I would agree that invURIBL uses a bit of CPU - a lot of it resides from having to decode the message from its format (base64, quoted printable, etc). From my testing across various systems it can add about 10-15% extra CPU. This will vary per system depending on hardware and existing load on your server. I make extensive use of SKIPWEIGHT, MAXWEIGHT, and the exception files and this pays off with lowering run time and CPU. Hope this helps. Darrell Scott Fisher writes: Darrell would be a better answerer of this question: Speed is directly dependent on the number of URIs in the email. The runtime for most of my messages is about 1 to 2 seconds. It tends to run longer on some ham messages with lots of links. The SKIPWEIGHT and MAXWEIGHT options can help cut down on the scanning. A lot of blatant spam for me gets bypassed by invuribl with the SKIPWEIGHT. You can also cut out on processing with the senderipwhitelist file which will skip scanning from the IPs/CIDRs listed. - Original Message - From: Keith Johnson [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, July 27, 2005 10:16 AM Subject: RE: [Declude.JunkMail] RBL's becoming worthless... Scott, What type of speed are you getting from using the invuribl? We take in/out well over 70K emails per day on each server, 1 of them takes in/out 150K. As I understand it, it is very CPU intensive. Thanks for the aid. Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, July 27, 2005 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RBL's becoming worthless... -Marcus: Here's my invuribl config file... I add points for being on various URI lists up to a max of 200. Subject tag at 100, hold at 200, delete at 300: ?xml version=1.0 encoding=utf-8 ? configuration appSettings !--License Key Required For invURIBL To Run-- add key=License_Key value=mykey / !--Enables the use of an exception file for domains that should be skipped-- add key=Enable Exceptions File value=true / !--Path and Filename of the log file. If left blank the log file will be generated in-- !--the same directory as the executable. If you have listed in the file-- !--name it will be replaced with MMDD (Month and Day).-- add key=LogFile_Path value=invuribl-logfile.txt / !-- Options: NORMAL, HIGH, VERBOSE, NONE-- add key=Log_Mode value=HIGH / !-- If the passed in weight exceeds this value, invURIBL will exit without -- !-- running any of the configured tests -- add key=SKIPWEIGHT value=500 / !-- If the accumulated weight exceeds the value listed below invURIBL will -- !-- return the MAXWEIGHT value -- add key=Enable_Max_Weight value=true / add key=MAXWEIGHT value=200 / !-- invURIBL will exit when the first domain in either the URI or RBL list. -- !-- If the domain is listed in the URI list the associated RBL lists will be checked -- !-- as well before the application will exit -- add key=Stop_At_First_Match value=true / !--DNS Server Timeout: Number of seconds that invURIBL will wait for a response from the DNS Server (Beta 5)-- add key=DNS_Server_Timeout value=2 / !-- This is the URIBL That The Domains Will Be Checked Against -- add key=URIBL_List1 value=multi.surbl.org / !-- Will return the last octet as the weight. If Custom Bitmask Values Are Enabled-- !-- their values will take precedence over this setting -- !-- add key=URIBL_Return_Result_As_Weight value=false / -- !-- Weight added to the result code or custom bitmask total. -- add key=URIBL_Weight_List1 value=0 / !--Allows you to override the normal values for bitmasks for a custom return weight-- add key=Enable_Custom_Bitmask_Values_URIBL_List1 value=true / !--If using multi.surbl.org see http://www.surbl.org/lists.html#multi for which lists correspond -- !--to which bitmask values -- add key=URI_Bitmask_BitValue_1_Weight_URIBL_List1 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List1 value=100 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List1 value=50 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List1 value=0 / !--URI LIST 2-- add key=URIBL_List2 value=xs.surbl.org / add key
Re: [Declude.JunkMail] RBL's becoming worthless...
I was just checking some of my results on the RBL's and the spammers are defintely getting smarter. When I started using Declude in Feb 2004, Spamcop hit on 83% of all the spam messages. For June 2005, Spamcop hit on 48% of all spam messages. Fiveten Spam dropped from 62% to 41% in the same time frame. Two (newer) RBL's that seem to work: 1. uceprotect is nice because of it's accuracy: dnsbl-1.uceprotect.netlists single IP addresses.99.9% accurate here 32 to 35% of the total spam tagged. dnsbl-2.uceprotect.netlists /24 subnets 99.8% accurate here. 33 to 38% of the total spam tagged. An IP address could be on both lists causing double-scoring. I use a filter to prevent that myself. 2. mxrate has a higher number of total hits, but woth less accuracy. pub.mxrate.net98.9% accurate here. 59 to 62% of the total spam tagged. 3. If you are feeling advanced... I've posted a program that take the ASSP Greylist and turns it into a ip4r DNS that you can test against. You'll need some DNS knowledge as you'll need to run this on your DNS Server. Using this DNS, I find that ASSP score of .99 tagsabout 13% of the total spams at a 99.9% accuracy. An ASSP score of .91 to .98 tags about 43% of the total spams at a 99.3% accuracy. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RBL's becoming worthless...
Chuck, Agreeded. This is why URI filtering is essential now. From the SURBL site. [URI Filtering] We feel this is a promising approach since it addresses the core problem of spam most directly: the sites advertised in the spams. Spammers have found ways to get around conventional RBLs by stealing services from multiple open relays or hijacking computers using viruses or trojan horse programs. Because of this theft of services and forced entry into unsuspecting victim computers, spammers are able to exploit multiple new mail sources, sometimes for only a few minutes at a time, faster than RBLs can identify and block mail from those addresses. This is a significant weakness in conventional RBLs, and spammers have devised various ways to exploit it. There are other problems with conventional RBLs that can make their use potentially problematic. (This is not meant to be a criticism of RBLs however. Like most other mail administrators, I use some conventional RBLs on my mail servers to do things like block open relays, etc. So conventional RBLs can be used effectively together with SURBL.) Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Chuck Schick writes: In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
Agreed. I had to take my INV URI filtering offline for a few days for some testing. Upon looking back at my kill stats I was intrigued by how much is actually missed by RBL but is caught by INV URI. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, July 26, 2005 11:02 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RBL's becoming worthless... Chuck, Agreeded. This is why URI filtering is essential now. From the SURBL site. [URI Filtering] We feel this is a promising approach since it addresses the core problem of spam most directly: the sites advertised in the spams. Spammers have found ways to get around conventional RBLs by stealing services from multiple open relays or hijacking computers using viruses or trojan horse programs. Because of this theft of services and forced entry into unsuspecting victim computers, spammers are able to exploit multiple new mail sources, sometimes for only a few minutes at a time, faster than RBLs can identify and block mail from those addresses. This is a significant weakness in conventional RBLs, and spammers have devised various ways to exploit it. There are other problems with conventional RBLs that can make their use potentially problematic. (This is not meant to be a criticism of RBLs however. Like most other mail administrators, I use some conventional RBLs on my mail servers to do things like block open relays, etc. So conventional RBLs can be used effectively together with SURBL.) Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Chuck Schick writes: In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
Chuck, Send me your global.cfg and $default$.junkmail that I can have a look to see if there are additional tests that we can use, to help increase scoring on spam. David B dbarker @ declude.com www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 1:57 PM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RBL's becoming worthless...
I'll third the URIBL filtering. Darrell has a free trial of the product. And the price is $30. Pretty affordable. I've been using it happily all year. - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, July 26, 2005 1:01 PM Subject: Re: [Declude.JunkMail] RBL's becoming worthless... Chuck, Agreeded. This is why URI filtering is essential now. From the SURBL site. [URI Filtering] We feel this is a promising approach since it addresses the core problem of spam most directly: the sites advertised in the spams. Spammers have found ways to get around conventional RBLs by stealing services from multiple open relays or hijacking computers using viruses or trojan horse programs. Because of this theft of services and forced entry into unsuspecting victim computers, spammers are able to exploit multiple new mail sources, sometimes for only a few minutes at a time, faster than RBLs can identify and block mail from those addresses. This is a significant weakness in conventional RBLs, and spammers have devised various ways to exploit it. There are other problems with conventional RBLs that can make their use potentially problematic. (This is not meant to be a criticism of RBLs however. Like most other mail administrators, I use some conventional RBLs on my mail servers to do things like block open relays, etc. So conventional RBLs can be used effectively together with SURBL.) Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Chuck Schick writes: In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
URI blacklists are certainly making up the difference on my system. But far more important, Sniffer from SortMonster.com is making the biggest difference on my network. Sniffer has the advantage of both URI filtering and traditional content filters because Sniffer is picking up the content that is the same across spam runs, whether that happens to be a URI, a phone number, the GIF attachment that is a drug billboard, or the HTML text that describes the GIF attachment, or the obfuscation of a URI or HTML itself. Sniffer is easily worth a buck a day. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 10:57 AM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
Less if you buy through Declude :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, July 26, 2005 3:56 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] RBL's becoming worthless... URI blacklists are certainly making up the difference on my system. But far more important, Sniffer from SortMonster.com is making the biggest difference on my network. Sniffer has the advantage of both URI filtering and traditional content filters because Sniffer is picking up the content that is the same across spam runs, whether that happens to be a URI, a phone number, the GIF attachment that is a drug billboard, or the HTML text that describes the GIF attachment, or the obfuscation of a URI or HTML itself. Sniffer is easily worth a buck a day. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 10:57 AM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RBL's becoming worthless...
Chuck, Here some numbers from my side: 100k messages in the last 7 days 50.5% identified as legit, 49.5% as spam (viruses was filtered out before) The best IP4R-based tests was CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP) So they catch less then 50% of incoming spam without creating a significant number of false positives. FIVETEN-SRC was able to catch 24% of spam but has also had FP's on around 6% of all processed messages. A text-filter combining the results of different IP4R-based tests has reached a catch rate of 36%. I consider it the current maximum that can be reached with IP4r-based tests by having a - let's say - moderate number of false positives. INV-URIBL instead can catch 37% of all messages as spam and I must say that up to now I haven't had time to try improving the INV-URIBL configfile. (Any suggestion is welcome!) It's also important that the number of FP's for this test is near to zero. SNIFFER was able to catch 47% of all spam messages but I must also say that there was a significant number of false positives (5%). Most of them generated by SNIFFER-GENERAL and SNIFFER-RICH. SPAMCHK has had correct results on around 45% of all messages, but also had around 7% of FP's Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%, 0.17%FP) Due to Decludes weighting system and the combination of all this tests I can see between 10 and 20 spam messages each month in my inbox, by catching more then 300 spams each day. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 7:57 PM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
