Re: The EmailBL test zone period has been extended to July 1st.
On Fri, 2009-05-22 at 12:07 +0200, Yet Another Ninja wrote: > FYI: > > The EmailBL test zone period has been extended to July 1st. Since it has been extended, I decided to go ahead and fire it up this morning. I'm mainly looking at overlap. It seems to be relatively distinct from other tests that are looking for 419 scams: $ grep EMAILBL_TEST_LEM= /var/log/mail/info | grep -P -o 'tests=.+?\]' | grep -o -P '[\w_]+?=' | sort | uniq -c | sort -rn 67 tests= 67 EMAILBL_TEST_LEM= 62 EMAILBL_TEST_LEM_REPLYTO= 42 FORGED_MUA_OUTLOOK= 41 ADVANCE_FEE_2= 40 L_P0F_Linux= 38 EMAILBL_TEST_LEM_BODY= 33 MSOE_MID_WRONG_CASE= 31 EMAILBL_TEST_LEM_FROM= 29 RCVD_IN_BRBL_RELAY= 28 SUBJ_ALL_CAPS= 27 RAZOR2_CHECK= 26 ADVANCE_FEE_3= 24 UNOFFICIAL= 23 RELAY_US= 22 SARE_FRAUD_X3= 22 MILLION_USD= 22 JM_SOUGHT_FRAUD_3= 21 RAZOR2_CF_RANGE_51_100= 21 BOTNET_SOHO= 20 RAZOR2_CF_RANGE_E4_51_100= 20 HTML_MESSAGE= 20 BOTNET_OTHER= 18 RCVD_IN_BL_SPAMCOP_NET= 18 JM_SOUGHT_FRAUD_2= 17 L_UNVERIFIED_GMAIL= 16 RCVD_IN_SORBS_WEB= 16 ADVANCE_FEE_4= 15 SPF_NEUTRAL= 14 US_DOLLARS_3= 13 SARE_FRAUD_X4= 13 RELAY_CN= 13 RDNS_NONE= 12 SPF_SOFTFAIL= 12 RELAY_NG= 12 RAZOR2_CF_RANGE_E4_100= 12 MIME_HTML_ONLY= 11 RELAY_TW= 11 RCVD_IN_INVLSIP_RELAY= 11 L_P0F_W= 10 UPPERCASE_75_100= 10 SPF_PASS= 10 L_P0F_Unix= 9 FORGED_OUTLOOK_TAGS= 9 FORGED_OUTLOOK_HTML= 9 DEAR_FRIEND= 8 RDNS_DYNAMIC= 7 URG_BIZ= 7 RCVD_IN_SBL= 6 SARE_FRAUD_X5= 6 L_P0F_UNKN= 6 HTML_MIME_NO_HTML_TAG= 5 XMAILER_MIMEOLE_OL_1ECD5= 5 JM_SOUGHT_FRAUD_1= 4 UNPARSEABLE_RELAY= 4 NA_DOLLARS= 4 L_UNVERIFIED_YAHOO= 3 SARE_FRAUD_X6= 3 MIME_QP_LONG_LINE= 3 INVALID_MSGID= 3 DEAR_SOMETHING= 2 SPF_HELO_PASS= 2 SPF_FAIL= 2 SARE_SXLIFE= 2 RELAY_KR= 2 RELAY_BR= 2 RCVD_IN_NJABL_PROXY= 2 MSGID_FROM_MTA_HEADER= 2 FREEMAIL_REPLYTO= 2 FREEMAIL_FROM= 2 FORGED_HOTMAIL_RCVD2= 2 FAKE_REPLY_C= 2 DKIM_VERIFIED= 2 DKIM_SIGNED= 2 DATE_IN_PAST_12_24= 2 DATE_IN_PAST_03_06= 2 DATE_IN_FUTURE_06_12= 2 BOTNET_W= 1 URIBL_RHS_DOB= 1 URIBL_OB_SURBL= 1 URIBL_INVL= 1 UPPERCASE_50_75= 1 SARE_UNSUB38= 1 SARE_PROLOSTOCK_SYM3= 1 SARE_LWOILCO= 1 RELAY_RU= 1 RCVD_IN_INVLSIP24_RELAY= 1 RCVD_IN_DNSWL_MED= 1 RCVD_DOUBLE_IP_LOOSE= 1 RAZOR2_CF_RANGE_E8_51_100= 1 RAZOR2_CF_RANGE_E8_100= 1 MPART_ALT_DIFF= 1 KAM_LOTTO1= 1 HTML_FONT_SIZE_LARGE= 1 FUZZY_AMBIEN= 1 FORGED_YAHOO_RCVD= 1 FIN_FREE= 1 FB_WORD1_END_DOLLAR= 1 DATE_IN_FUTURE_12_24= 1 CHARSET_FARAWAY_HEADER= -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: The EmailBL test zone period has been extended to July 1st.
Henrik K wrote: My take so far is that it seems to be accurate, but it is not hitting enough mail to be really useful. Please clarify if by "enough mail" you mean "enough 419 etc from freemails"? If you mean general spam, then obviously it won't match them if they don't come from the specific freemail domains. Also remember that even if the hits are just already identified spam, it helps to make it even more sure. Emails are slightly different vector than body checksums etc, so even if they don't help at this moment, they might help on some future run. You can also make pretty foolproof metas from (emailbl && freemail_replyto) etc. So far, the rule has hit on less than 3% of my spam and there were a total of 2 cases where a higher score on this rule would have made a difference. Of course things can always change in the future, but as of now, I don't see this rule as being particularly useful. I'll continue to watch it. Maybe things will look different after the weekend when I have a larger sample size to work with. -- Bowie
Re: The EmailBL test zone period has been extended to July 1st.
> > My take so far is that it seems to be accurate, but it is not hitting > enough mail to be really useful. Please clarify if by "enough mail" you mean "enough 419 etc from freemails"? If you mean general spam, then obviously it won't match them if they don't come from the specific freemail domains. Also remember that even if the hits are just already identified spam, it helps to make it even more sure. Emails are slightly different vector than body checksums etc, so even if they don't help at this moment, they might help on some future run. You can also make pretty foolproof metas from (emailbl && freemail_replyto) etc.
Re: The EmailBL test zone period has been extended to July 1st.
Yet Another Ninja wrote: FYI: The EmailBL test zone period has been extended to July 1st. The plugin and rules files can be found at: http://sa.hege.li/ EmailBL.pm & EmailBL.cf & emailbl_lemfreemail.cf Here are some stats for you from a low-volume server: Total emails scanned: 1425 Marked as Spam: 814 Marked as Ham: 611 Spam also hit by EmailBL: 22 Ham hit by EmailBL: 3 I was able to verify that two of the three Ham hits were correct (should have been Spam). I don't have access to the third Ham email. My take so far is that it seems to be accurate, but it is not hitting enough mail to be really useful. As a sidenote ... during the same period, the Zen blacklist blocked 16,394 messages. That puts the overall spam rate for my server at 96%! This is getting ridiculous... -- Bowie