List Mail User wrote: >> ... >> List Mail User wrote: >>>> ... >>>> >>> I believe some people using the SARE rules report ~100 points for >>> them (after half a day or so, they fail every net test, and very >>> many "small" rules). Also, the typical ones are delivered by >>> zombies, so often the DUL tests hit right away, and if you can >>> afford to refuse bad DNS at the MTA level (many large sites can't), >>> you'll never see most of them. >>> >>> The last one I got hit: >>> BAYES_99,DIGEST_MULTIPLE,FORGED_MUA_IMS,HELO_DYNAMIC_COMCAST,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_COMPLETEWHOIS,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_ABUSE,URIBL_RHS_AHBL,URIBL_RHS_DSN,URIBL_RHS_NOCOMPLAINTS,URIBL_RHS_NOSTDMAIL,URIBL_RHS_POST,URIBL_RHS_URIBL_BLACK,URIBL_RHS_WHOIS,URIBL_SBL,URIBL_SBL_COMWHOIS,URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL >>> >>> A slightly earlier one got a much lower score with: >>> BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_80_90,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,UPPERCASE_25_50,URIBL_RHS_POST,URIBL_RHS_WHOIS >>> >> >> Umm... I don't see any SARE rules in there. The fact is, SARE isn't >> terribly effective against these 1-column drug spams. The only SARE >> hit I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or >> occasionally SARE_SPEC_LEO_MEDS with 1.67 points. >> >> Sure, with every possible network test enabled you will catch most >> everything. But some of us don't have unlimited resources. ;) >> >> Pierre >> > Pierre, > > You'll get a lot of mileage from the three common digests; Of the > three DCC takes very little resources, but you really should read the > docs > to set it up. Razor seems that most common one people use (it is > Perl and easy to setup) and only Pyzor takes significant resources (a > copy of Python has to be running). As to the other net tests you see > above, besides those enabled by default, there are really only two > DNS lookups and some meta-rules. All of the rfci data is available > from one DNS query on fulldom.rfc-ignorant and they are fairly > effective (with low scores and meta-rules for multiple hits - e.g. > the "URIBL_RHS_NOCOMPLAINTS") and the lookup on the completewhois HIB > list also functions well as URI rules. If you are so limited that > you are already disabling standard rules, then you are in a different > situation. You do not see the "low return" net rules, like the DNS > operators BLs that easyDNS maintains or many others. None of the URI > rules or DNS lookups require much in the way of resources. > > If you are resource limited and can afford it with your user base, > then MTA level rejection of bad DNS/rDNS will nearly wipe out most > "zombie" deliveries (and mail from all too commonly misconfigured > Exchange servers) and reduce your load greatly - then you'll be able > to pile on far more > tests yet. Also, blocking at the MTA level with the XBL will also > remove > a lot of the "zombie" spew (and quite safely for any environment). > > My point should have been just a well trained Bayes DB plus the > digests will catch these for all but the few people at the very > beginning > of a run, and a short while later the SURBLs will kick in (yes, the > digests do seem to have quicker update times than the BLs, especially > DCC). If you don't have enough resources to run SURBLs, then it is > quite unlikely that > you can afford the memory usage of the SARE tests either (disclaimer: > I > do not use SARE tests, just check, read and try to follow what they > are doing). >
Paul, I'm not really THAT badly off; I run all default 3.1.0 tests plus Bayes and DCC, three RBL's, URIBL/SURBL, some SARE rule sets and a bunch of local rules. I do MTA-level blocking with Spamhaus SBL-XBL, which knocks off at least half the junk before it reaches SA. But I don't run Razor or Pyzor, so never get DIGEST_MULTIPLE. Maybe I should change that. My point was, two people stated that SARE rules take care of this type of pill spam, and they don't. Pierre
