>...
>List Mail User wrote:
>>> ...
>>>
>> I believe some people using the SARE rules report ~100 points for them
>> (after half a day or so, they fail every net test, and very many
>> "small" rules). Also, the typical ones are delivered by zombies, so
>> often the DUL tests hit right away, and if you can afford to refuse
>> bad DNS at the MTA level (many large sites can't), you'll never see
>> most of them.
>>
>> The last one I got hit:
>> BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL
>>
>> A slightly earlier one got a much lower score with:
>> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS
>>
>
>Umm... I don't see any SARE rules in there. The fact is, SARE isn't terribly
>effective against these 1-column drug spams. The only SARE hit I got was
>SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or occasionally
>SARE_SPEC_LEO_MEDS with 1.67 points.
>
>Sure, with every possible network test enabled you will catch most everything.
> But some of us don't have unlimited resources. ;)
>
>Pierre
>
Pierre,
You'll get a lot of mileage from the three common digests; Of the
three DCC takes very little resources, but you really should read the docs
to set it up. Razor seems that most common one people use (it is Perl and
easy to setup) and only Pyzor takes significant resources (a copy of Python
has to be running). As to the other net tests you see above, besides those
enabled by default, there are really only two DNS lookups and some meta-rules.
All of the rfci data is available from one DNS query on fulldom.rfc-ignorant
and they are fairly effective (with low scores and meta-rules for multiple
hits - e.g. the "URIBL_RHS_NOCOMPLAINTS") and the lookup on the completewhois
HIB list also functions well as URI rules. If you are so limited that you
are already disabling standard rules, then you are in a different situation.
You do not see the "low return" net rules, like the DNS operators BLs that
easyDNS maintains or many others. None of the URI rules or DNS lookups
require much in the way of resources.
If you are resource limited and can afford it with your user base,
then MTA level rejection of bad DNS/rDNS will nearly wipe out most "zombie"
deliveries (and mail from all too commonly misconfigured Exchange servers)
and reduce your load greatly - then you'll be able to pile on far more
tests yet. Also, blocking at the MTA level with the XBL will also remove
a lot of the "zombie" spew (and quite safely for any environment).
My point should have been just a well trained Bayes DB plus the
digests will catch these for all but the few people at the very beginning
of a run, and a short while later the SURBLs will kick in (yes, the digests
do seem to have quicker update times than the BLs, especially DCC). If you
don't have enough resources to run SURBLs, then it is quite unlikely that
you can afford the memory usage of the SARE tests either (disclaimer: I
do not use SARE tests, just check, read and try to follow what they are
doing).
Paul Shupak
[EMAIL PROTECTED]
