Based on this, I removed all occurrences of DUL, DYNA or DUHL from my test names and reconfigured things using the "dnsbl" test type and the variable for %IP4R% to indicate a last hop-only test. This allows such tests to tag forging spammers.
Another note. This is not what I would consider to be a beginner or even intermediate config, and it only works effectively with Declude Pro when configured for multiple hop scanning. Multiple hop scanning can increase false positives without a large increase in captured spam unless it is done very carefully; for instance using the LAST and ALL config that is being discussed. For beginners, I would more so recommend concentrating on choosing the right set of RBL's with tuned scoring, and of course spending money on a Sniffer subscription since that alone will have more effect on things than everything else that one might do combined. If one feels the need to then do multiple hop scanning and understands very specifically how each RBL works (how their data is generated, i.e. spam traps as in XBL, or manually researched primarily static spammers as with SBL), then the best way to implement it would be to do the LAST/ALL config.
Matt
Scott Fisher wrote:
In addition to Darrell's answer, here is my best understandings of the DNSBL vs IP4R tests:
IP4R test: Will search the up to the number of hops up to (HOPHIGH variable +1) with the following exceptions:
If DYNA, DUL, or DUHL are in the test name, they will be skipped after the first hop. (From the release notes).
If the mailfrom matches a local address then Declude will not test the last hop. (alas this is a common spamming technique)
Source: "What was discovered and initially discussed in this thread though is that Declude will not test the last hot with such tests when the MailFrom matches a local address. That was also good design, but if you can whitelist all local senders, it is best to turn this off. A suitable work around for this issue has been provided. The work around that was discussed will only test the last hop. When Declude uses the %IP4R% variable, this comes from the connecting IP (unless IPBYPASSed), and there is only one value tested."
Pulled from: http://www.mail-archive.com/[email protected]/msg18675.html
Note on HOPHIGH: HOPHIGH 0 = Last hop HOPHIGH 1 = Last hop and one previous hop. HOPHIGH 2 = Last hop and two previous hops.
RHSBL test: Will seach the domain name against a domain name database.
DNSBL test:
Variable options and examples:
%HELO% to test HELO string: MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
%REVDNS% to test with a revdns: MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0
%IP4R% IP4R test: BLITZEDALL-LAST dnsbl %IP4R%.opm.blitzed.org * 0 0
%MAILFROMBL% to test mailfrom: support.declude.com. I use this with a copy of Joe Wein's 419 email address list db: JOEWEIN-MAILFROM dnsbl %MAILFROMBL%.jw.farmprogress.local 127.0.0.11 100 0
If you use the %IP4R% with the DNSBL, you are checking mails that do match your mailfrom and may catch more spam. If you are scanning valid mail with your mailfrom, this could be trouble. My mails are WHILTELIST AUTH, so all other mail can be scanned.
In summary:
HOPHIGH 2
ORDB-LAST dnsbl %IP4R%.dnsbl.antispam.or.id 127.0.0.2 10 0
Will scan the last hop (including MailFrom matches a local address). and score 10 points
ORDB-ALL ip4r relays.ordb.org 127.0.0.2 2 0
Will scan the last hop and up to 2 previous hops (excluding last hop where MailFrom matches a local address) and score 2 points on any of their hits.
Also:
In my experience, the last hop is a better indicator od spam than previous hops.
So this configuration scores accordingly and may help minimze false positives in the previous hops by scoring them less.
----- Original Message ----- From: "Fox, Thomas" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, March 09, 2005 10:13 AM Subject: RE: [Declude.JunkMail] Purpose of %IP4R%
I've been following the beginner config thread, trying to improve my setup, and am curious about the %IP4R% tag on some of the tests. What does this do/mean?
> It depends on how you want to score. > You are currently referencing the sbl-xbl with only a return code of > 127.0.0.4 and running blitzedall, cbl and sbl: > XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.4 9 0 > XBL(ALL) ip4r sbl-xbl.spamhaus.org > 127.0.0.4 2 0 > BLITZEDALL ip4r opm.blitzed.org * > 7 0 > CBL ip4r cbl.abuseat.org > 127.0.0.2 6 0 > (Duplicate of XBL-ALL) > SBL ip4r sbl.spamhaus.org * > 7 0 > > This would score the entire xbl list the same: (one DNS call) > XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org * 9 0 > XBL(ALL) ip4r sbl-xbl.spamhaus.org * 2 0 > > This would score the results of the sbl-xbl differently > depending on which list they are on (one DNS call) > SBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 7 0 > CBL dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 > BLITZEDALL dnsbl %IP4R%.sbl-xbl.spamhaus.org > 127.0.0.5 7 0 >
--- [This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
