[Declude.JunkMail] We have opened up truncate.gbudb.net
Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
Thanks! I'll add this and then watch it over the weekend, let you know how it did compared to the others early next week. :) -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] We have opened up truncate.gbudb.net
Hi Pete, Question - is this blacklist info already contained withing any Sniffer test? I am wondering about double dipping so to speak - if the info is within Sniffer which rulebase? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Pete McNeil madscient...@microneil.com Sent: Thursday, April 29, 2010 5:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] We have opened up truncate.gbudb.net
On 4/29/2010 5:50 PM, Nick Hayer wrote: Hi Pete, Question - is this blacklist info already contained withing any Sniffer test? I am wondering about double dipping so to speak - if the info is within Sniffer which rulebase? That's not an easy question -- If you are using SNF then your GBUdb node may agree with truncate.gbudb.net --- If it does then the message will be truncated by SNF if it gets through. However, truncate.gbudb.net is a "cloud's view" of GBUdb -- so much of the time the data in truncate.gbudb.net is bigger than what you will have in your GBUdb node. That means that truncate.gbudb.net will be able to stop some traffic that your system has not yet seen. So -- to summarize: * If your system has a particular IP in truncate in your GBUdb node then it is very likely truncate.gbudb.net will also agree. * If you system has no information on a particular IP then truncate.gbudb.net may be able to help you reject the connection anyway. Think of truncate.gbudb.net as a very conservative "big picture" list of very bad IPs. Truncate will almost always know more than your system does for newer IPs. Let me know if that answers the question. Best, _M ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL tests
I also use fresh15.spameatingmonkey.net and urired.spameatingmonkey.net in my invuribl config Do you happen to know the config lines you need for invuribl to use these...? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
Thanks - I activated it in my gateway and will report back after a day or so. Question: a) Does it have TXT records that holds additional info that can be returned in the 5.7.1 message to the sender? b) Is there a lookup URL that can be included in the 5.7.1 message that people can use to learn about your service, learn about the listing/de-listing policy (and determine the status of their IP address in case of a false positive)? Best Regards, Andy _ From: Pete McNeil madscient...@microneil.com Sent: Thursday, April 29, 2010 5:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Examining Test Effectiveness
Here is yesterday's (4/29/10) report, after adding the Spam Eating Monkey into the mix. How much does this vary, amongst Declude users? Do you get similar results from these tests, or different ones? Overall Server Test Summary Report Total Messages Processed: 183,417 Messages That Failed Defined Test(s): 171,145 Percentage That Failed Defined Test(s): 93.31% Average Message Weight: 56 Average Message Weight/Failed: 61 TEST # FAILED Percentage WEIGHT10144,929...79.02% WEIGHT15143,843...78.42% WEIGHT20142,891...77.90% WEIGHT25142,021...77.43% BARRACUDA...103,943...56.67% ZEN..97,021...52.90% HOSTKARMA-BLACK..94,109...51.31% SNIFFER-SNAKEOIL.87,631...47.78% UCEPROTECT-2.83,627...45.59% SNFIPCAUTION.83,418...45.48% DYNHELO..80,473...43.87% UCEPROTECT-3.77,550...42.28% FILTER-SPAM..58,435...31.86% UCEPROTECT-1.50,103...27.32% HELOBOGUS46,577...25.39% CBL..44,887...24.47% SPFPASS..44,730...24.39% NOABUSE..44,589...24.31% SPAMMONKEY-BLACK.43,204...23.56% CMDSPACE.41,066...22.39% INV-URIBL38,354...20.91% NOPOSTMASTER.36,258...19.77% FROMNOMATCH..35,509...19.36% FILTER-MEDICAL...33,097...18.04% SENDERSCORE..30,081...16.40% SUBCHARS-55..28,317...15.44% SUBCHARS-60..23,145...12.62% SIP-INVALUEMENT..22,885...12.48% MAILPOLICE-DYNAMIC...22,758...12.41% BADHEADERS...21,894...11.94% HAM-INDICATOR21,795...11.88% SNIFFER-GENERAL..21,724...11.84% SORBS-RECENT.19,768...10.78% SUBCHARS-65..19,644...10.71% SNFIPTRUNCATE19,585...10.68% SIP24-INVALUEMENT19,355...10.55% URIBL-BLACK..18,388...10.03% SURBL16,9669.25% FILTER-DRUGS.16,4198.95% SPAMCOP..16,3668.92% SORBS16,1198.79% REVDNS...15,6738.55% WDDX-FILTER..15,3828.39% WPBL.14,8748.11% SUBSPACE-12..13,5017.36% SNFTRUNCATE..12,3576.74% SPAMMONKEY-FRESH15...11,9586.52% FILTER-NOSENDER..10,2295.58% FILTER-BACKSCATTER8,8214.81% SPAMCANNIBAL..8,4414.60% MAILPOLICE-REVWEBMAIL.7,9914.36% FILTER-ADULT..7,6994.20% SPFFAIL...7,5854.14% SUBSPACE-15...6,7683.69% IMP-SPAM..6,6723.64% SORBS-DUL.6,1423.35% GOOD-REVDNS...6,1403.35% ROUTING...5,9543.25% MAILFROM..5,4592.98% UBL...5,0842.77% BADWHOIS..4,5092.46% DSN...4,3622.38% SUBSPACE-17...4,1072.24% SPAMMONKEY-NETBLACK...4,0892.23% SPAMRATS..3,5451.93% SIZE-300K.3,4411.88% SORBS-NEW.3,0671.67% SNIFFER-CREDIT2,6131.42% SPAMHEADERS...2,4351.33% SNIFFER-SCHEME2,3811.30% NONENGLISH2,3511.28% SNIFFER-SPAM..1,9101.04% NJABL.1,7770.97% SNIFFER-SCAMS.1,7260.94% BASE641,6280.89% BASURA1,5540.85% SNIFFER-INSURANCE.1,5470.84% SIZE-500K.1,4650.80% DNSBL.1,3570.74% BONDEDSENDER..1,0670.58% SNIFFER-PORN..1,0670.58% SNIFFER-TRAVEL1,0360.56% BOGUSMX...1,0030.55% SNIFFER-WAREZ...9650.53% SIZE-1MB9020.49% SNFIPBLACK..8890.48% IPREPUTATION8890.48% SNIFFER-OBFUSCATION.8080.44% SNIFFER-ADVERTISING.4600.25% SNIFFER-GAMBLING3710.20% AHBL-DOMAINS2370.13% MAILPOLICE-DOMAIN...2190.12% MAILPOLICE-BLOCK2190.12% SNIFFER-MALWARE.2160.12% MAILPOLICE-HELO..970.05% MAILPOLICE-REVDNS970.05% COMMENTS.630.03%
RE: [Declude.JunkMail] Sniffer Integration
Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x 60 10 0 SNIFFER-SPAMSNF x 61 10 0 SNIFFER-OBFUSCATION SNF x 62 10 0 SNIFFER-IP-RULESSNF x 63 10 0 SNFTRUNCATE SNF x 20 10 0 EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting HJ ADD