[Declude.JunkMail] Deleting emails based solely on Sniffer?
Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Beginner configuration?
127.0.0.3 1 0 #= OTHER TESTS == BADHEADERS badheaders x x 8 0 BASE64 base64 x x 4 0 CMDSPACEcmdspacex x 8 0 COMMENTScommentsx x 7 0 HELOBOGUS helovalid x x 4 0 MAILFROMenvfrom x x 12 0 PERCENT percent x x 10 0 REVDNS revdnsexistsx x 4 0 ROUTING spamrouting x x 2 0 SPAMHEADERS spamheaders x x 3 0 SPFFAIL spffail x x 3 0 #SPFPASSspfpass x x -3 0 #BCCbcc 20 x 5 0 NONENGLISH nonenglish x x 3 0 #SUBJECTCHARS subjectchars50 x 0 0 #SUBJECTSPACES subjectspaces 12 x 5 0 #=== FILTERS === #SUBJECTfilter [path]\Filters\Subject.txt x 0 0 #WORD filter [path]\Declude\Filters\Word.txt x 0 0 #= 3RD PARTY = SNIFFER externalnonzero D:\IMail\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7 10 0 #SPAMCHKexternalnonzero [path]\Spamchk\spamchk.exe1 0 #= TRIGGERS == WEIGHT1014 weightrange x x 10 14 WEIGHT1519 weightrange x x 15 19 WEIGHT20weight x x 20 0 As for actions, I am currently holding 10-14, redirecting 15-19, and deleting 20. Now this seemed to work great before, but now that I added a few more DNSBLs, my scores are much higher obviously. I'm curious if this is a BAD thing, or if it just confirms that if a message is on several blacklists, it SHOULD have a high score and be deleted. Thoughts on this? I basically guessed on the weights for the top 9 blacklists that I added manually... Thanks. Joey At 11:34 PM 3/4/2005, you wrote: Evan. It is my understanding that is a global command and is only supported in the global.cfg file. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Evans Martin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, March 04, 2005 10:17 PM Subject: RE: [Declude.JunkMail] Beginner configuration? Does LOOSENSPAMHEADERS ON have to go in the global.cfg? What if I want to do this for one domain but not for others? Is there any way to accomplish this? Thanks, Evans Martin -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, March 04, 2005 8:17 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Beginner configuration? Joey, Declude is very effective when tweaked. Not to mention the default global.cfg ships without all of the RBL's that most of us use (XBL, UCE, MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties which are very effective at catching spam like like invURIBL and Message Sniffer. Both of those applications have trial versions. Are you still using the default scale? Since you have been working with your global.cfg you might want to post it to the list for us to look over it and see what you have done so far as to make suggestions. For your clients that you are not in control of I would imagine that you know the ip blocks they come from or the firewall ip that they are behind that. You can whitelist that ip so that them failing the cmdspace will not be a factor. CMDSPACE is very effective but direct connects from clients using outlook will set that off. For SPAMHEADERS I use LOOSENSPAMHEADERS ON this relaxes the spamheaders test so that it does not trigger on missing message ID emails. Hope that helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Joey Proulx writes: Hello, Just downloaded the demo version of Junkmail Pro, and I was curious about the basic setup. For the last two days I've monitored
Re: [Declude.JunkMail] Beginner configuration?
So if I'm double scoring, can't I just remove the SBL, Blitzedall, and CBL lists entirely from my global.cfg? Joey At 02:47 PM 3/8/2005, you wrote: The SBL-XBL includes the SBL, Blitzedall and the CBL list, so you are double-scoring the CBL list. For the SBL-XBL here are the return codes: SBL = 127.0.0.2 return code CBL = 127.0.0.4 return code BLITZEDALL = 127.0.0.6 return code So either: SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0 CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.5 7 0 or BLITZEDALL ip4ropm.blitzed.org * 7 0 CBL ip4rcbl.abuseat.org 127.0.0.2 6 0 SBL ip4rsbl.spamhaus.org* 7 0 - Original Message - From: Joey Proulx [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 08, 2005 12:44 PM Subject: Re: [Declude.JunkMail] Beginner configuration? Thanks for all the help everyone. So far so good, users are noticing the improvement. I added sniffer to the arsenal earlier today, and it's amazing how much more it's picking up. VERY VERY few false positives at all in the first four days of my trial with Declude/Sniffer. However, I added a few more DNSBLs that one of you suggested last week. My global.cfg now looks like this: #=ADVANCED OPTIONS = LOOSENSPAMHEADERS ON CONSOLE ON #IPBYPASS 192.0.2.25 HOP 0 #HOPHIGH1 #DNS127.0.0.1 HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT CATCHALLMAILS catchallmails x x 0 0 NOLEGITCONTENT nolegitcontent x x 0 -5 IPNOTINMX ipnotinmx x x 0 -3 #=WHITELISTS === #WHITELIST HABEAS #AUTOWHITELIST ON PREWHITELISTON WHITELIST AUTH # - Domain Example - WHITELISTFROM @declude.com WHITELISTFROM @munis.com WHITELISTFROM @trg.com WHITELISTFROM @winnacunnet.k12.nh.us # - User Example - WHITELISTFROM [EMAIL PROTECTED] # - TO Example - #WHITELIST TO postmaster@ #WHITELIST TO abuse@ # - SAU IPS - #SAU AND HAMPTON WHITELIST IP 207.228.220. WHITELIST IP 172.21.21. #SEABROOK WHITELIST IP 70.88.195.41 #HFALLS WHITELIST IP 24.128.32.179 #SOHAM WHITELIST IP 69.164.74.209 #=BLACKLISTS === #BLACKLIST fromfile[path]\Filters\blacklist.txtx 10 0 #BLACKIPipfile [path]\Filters\blackip.txt x 10 0 #= RBL IP4R TESTS == # 1. Definitions of the tests to use (do not edit unless you know what you are doing). These must come before the actions. # 2. First is the name of the check, then the type of check (ip4r is a DNS lookup using the reverse of the IP address). # 3. For type ip4r, 'matchstring' is the string to look for, or * for anything. XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 9 0 XBL(ALL)ip4rsbl-xbl.spamhaus.org127.0.0.4 2 0 UCEPROTECT-LAST dnsbl %IP4R%.dnsbl-1.uceprotect.net 127.0.0.2 4 0 UCEPROTECT-ALL ip4rdnsbl-1.uceprotect.net 127.0.0.2 1 0 SENDERDB-BLACK ip4rpub.senderdb.net127.0.0.2 8 0 SENDERDB-SUSPICIOUS ip4r pub.senderdb.net 127.0.0.4 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 9 0 MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com127.0.0.2 8 0 AHBLip4rdnsbl.ahbl.org * 6 0 BLITZEDALL ip4ropm.blitzed.org * 7 0 CBL ip4rcbl.abuseat.org 127.0.0.2 6 0 DSBLip4rlist.dsbl.org * 6 0 ORDBip4rrelays.ordb.org * 5 0 SBL ip4rsbl.spamhaus.org* 7 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4rdnsbl.sorbs.net 127.0.0.6 4 0 #SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4rdnsbl.sorbs.net 127.0.0.8 5 0 SORBS-ZOMBIEip4r
[Declude.JunkMail] Beginner configuration?
Hello, Just downloaded the demo version of Junkmail Pro, and I was curious about the basic setup. For the last two days I've monitored and tweaked and held and redirected and spent hours upon hours looking over the junkmail setup and rules and whatnot. I'm wondering if I'm reinventing the wheel. I work for a school district with a big spam problem, but as any of you in gov't know, if I tell them we should buy something I need to make sure it works. I was just wondering if there are any tried and true setups that any of you are using to cut down on the spam. I'm seeing that this system works, but I'm also still running the built-in Imail filter, and I've seen quite a few messages that get caught by Imail, but have a Declude score of 0, that should NOT have made it through. Do you all still run the builtin Imail spam as well? Any filters I should definitely setup? I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header) from some local clients (I don't control all my clients, so I don't think I can make them authenticate). Should I do away with these tests, or can I fix these two issues on the server side? Thanks for all your help. _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Beginner configuration?
#BOGONS WARN #CATCHALLMAILS IGNORE #COMPU WARN #DEVNULLWARN #DORKS WARN #DORKZTLWARN #DSBLALLWARN #DULWARN #FIVETENDUL WARN #FIVETENOPTIN WARN #FIVETENOTHER WARN #FIVETENSRC WARN #FLOWGO WARN #GUARDBLOCK WARN #GUARDBULK WARN #GUARDDUL WARN #GUARDMULTI WARN #GUARDSINGLEWARN #GUARDSRC WARN #HEUR WARN #INTERSIL WARN #IPWHOISWARN #NJABL WARN #NJABLDUL WARN #NONENGLISH WARN #RBLWARN #RSSWARN #SELWERDWARN #SPAMBAGWARN #SPAMTR WARN #SUMMIT WARN #V6NET WARN #VISI WARN #ZTAWARN #RBLPLUSWARN #DULPLUSWARN #RBLANDDUL WARN #RSSPLUSWARN #RBLANDRSS WARN #DULANDRSS WARN #MAPSALLWARN #BCCWARN #NONENGLISH WARN #SPAMDOMAINSWARN #SUBJECTCHARS WARN #SUBJECTSPACES WARN I havent' changed much, only commented out a couple tests that were causing me trouble. I can certainly use the IP whitelist trick, thank you. Couple more questions: Seems like a URL filter would be very easy to implement (assuming of course you nab that first spam message to add it to the list). Is this something you all use, and if so, is there a de facto list I can start with? Perhaps the one that Imail pushes out? Also, I know there has been some discussion on this list, but if a message has a weight that indicated HOLD and also ROUTETO, does it do both? It looks like it is right now. I have my weights of 10 set to HOLD, and those same messages I'm seeing in the held dir are also showing up in my ROUTETO box. Especially where I plan to delete messages over 20 in the near future, I'd like to figure this part out. Thanks. Joey At 09:17 AM 3/4/2005, you wrote: Joey, Declude is very effective when tweaked. Not to mention the default global.cfg ships without all of the RBL's that most of us use (XBL, UCE, MAIL-POLICE, SENDERDB). Also, there are other 3rd patry utilties which are very effective at catching spam like like invURIBL and Message Sniffer. Both of those applications have trial versions. Are you still using the default scale? Since you have been working with your global.cfg you might want to post it to the list for us to look over it and see what you have done so far as to make suggestions. For your clients that you are not in control of I would imagine that you know the ip blocks they come from or the firewall ip that they are behind that. You can whitelist that ip so that them failing the cmdspace will not be a factor. CMDSPACE is very effective but direct connects from clients using outlook will set that off. For SPAMHEADERS I use LOOSENSPAMHEADERS ON this relaxes the spamheaders test so that it does not trigger on missing message ID emails. Hope that helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Joey Proulx writes: Hello, Just downloaded the demo version of Junkmail Pro, and I was curious about the basic setup. For the last two days I've monitored and tweaked and held and redirected and spent hours upon hours looking over the junkmail setup and rules and whatnot. I'm wondering if I'm reinventing the wheel. I work for a school district with a big spam problem, but as any of you in gov't know, if I tell them we should buy something I need to make sure it works. I was just wondering if there are any tried and true setups that any of you are using to cut down on the spam. I'm seeing that this system works, but I'm also still running the built-in Imail filter, and I've seen quite a few messages that get caught by Imail, but have a Declude score of 0, that should NOT have made it through. Do you all still run the builtin Imail spam as well? Any filters I should definitely setup? I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header) from some local clients (I don't control all my clients, so I don't think I can make them authenticate). Should I do away with these tests, or can I fix these two issues on the server side? Thanks for all your help. _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail
Re: [Declude.JunkMail] Beginner configuration?
Thanks Dan, Is it generally frowned upon to use another company's spam setup, like yours? My feelings are that I'm not very experienced with this and you seem to have a very nice setup. I know I'd have to change a few things to reflect our system, but it would take me years to learn enough about spam and mail servers to setup something like that. Mail is only a fraction of what I do here...I need as much a plug and play system as I can :) Thanks. Joey At 10:29 AM 3/4/2005, you wrote: Joey, If you go here http://declude.mydomain.com/ (where mydomain.com is the domain I use in my from address) you can see the part of our Declude JunkMail Config which we make public. Thanks, Dan - Original Message - From: Joey Proulx [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, March 04, 2005 8:13 AM Subject: [Declude.JunkMail] Beginner configuration? Hello, Just downloaded the demo version of Junkmail Pro, and I was curious about the basic setup. For the last two days I've monitored and tweaked and held and redirected and spent hours upon hours looking over the junkmail setup and rules and whatnot. I'm wondering if I'm reinventing the wheel. I work for a school district with a big spam problem, but as any of you in gov't know, if I tell them we should buy something I need to make sure it works. I was just wondering if there are any tried and true setups that any of you are using to cut down on the spam. I'm seeing that this system works, but I'm also still running the built-in Imail filter, and I've seen quite a few messages that get caught by Imail, but have a Declude score of 0, that should NOT have made it through. Do you all still run the builtin Imail spam as well? Any filters I should definitely setup? I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header) from some local clients (I don't control all my clients, so I don't think I can make them authenticate). Should I do away with these tests, or can I fix these two issues on the server side? Thanks for all your help. _ Joey Proulx SAU #21 Technology Support Staff 2 Alumni Drive Hampton, NH 03842 (603) 926-8992, ext 115 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.