Jump to content

questions about the non-SC blacklists


Recommended Posts

Several of your issues have been touched, even answered .. the last specific one has been answered .. the ".10" result from SORBS is not a spam flag ... 

Yes, and thanks for your help with that.

.. especially after noting that I'm already beyond "the half-dozen posts so I've already exceeded my attention span" point

I'm not sure, but it looks like you might be referring to a comment I made via NNTP, where I remarked (regarding the forums) that "people lose interest after a dozen or so posts" and that some issues therefore remain not completely answered. Just my own observation, FWIW. We'll see if the primary remaining question from this (and the other) thread ever gets answered.

dt

Link to comment
Share on other sites

a status update....

Earlier today I dumped everything from the Held Mail and the Trash on both of my SC email accounts. Now I'm monitoring all the new stuff that comes into Held Mail and what puts it there. My settings are:

SpamAssassin Limit = 5

SpamCop Blacklist

Composite Blocking List

SORBS DNSbl

The SCBL is doing most of the work, followed closely by SA. Three or four have been caught due to the CBL, but so far, nothing has gone into Held Mail due to my selection of the SORBS DNSbl. I'll watch this for a few days, until I have a representative sample and see if anything ever gets "held" due to SORBS, which I'm beginning to doubt. At least I've confirmed that the CBL is working for me.

(update 7/6/04: after over 24 hours of collecting Held Mail, I've now done an analysis of the 401 that arrived during that time:

SpamCop Blacklist 343

CBL 31

SpamAssassin 22

SORBS 5

Interestingly enough, when I ran all five of the SORBS-blocked messages through the SC web reporting system, when looking in the "Tracking message source" sections, I find absolutely NO mentions of SORBS listings whatsoever for any of the 5 source IPs....very odd....this is part of what I think needs some explaining, if possible.)

Gotta go paint a bathroom.... :(

Link to comment
Share on other sites

but so far, nothing has gone into Held Mail due to my selection of the SORBS DNSbl. I'll watch this for a few days, until I have a representative sample and see if anything ever gets "held" due to SORBS, which I'm beginning to doubt.

When I selected SORBS in addition to the existing block lists I checked this and found one inside a couple of days. Note that the lists are applied in order so the later ones don't get much of a chance unless the source hasn't yet been added to the SCBL etc. lists.

I don't think that a list of Dynamic cable or dialup IPs is usable by the SpanCop email blocker because it just looks up every IP in all the Received lines.

Only if these are analysed for "Direct to MX" do they suggest a zombie is at work.

Link to comment
Share on other sites

I've just run a spam that got by my SC settings through the web reporting system...here's the Tracking URL:

http://www.spamcop.net/sc?id=z535217371z39...292f932fddee63z

First, if you take a look at the parsing, you'll see that there were supposedly "no links found" but there's a bold http spamvertised site in the middle of the spam:

<b>http://www.pkjen.com/mcam.html</b>

It's not wrapped in an anchor link....is that required in order for the engine to pick it up as a spamvertised link?

Second, you'll also note that the source IP is:

201.9.105.210 listed in cbl.abuseat.org ( 127.0.0.2 )

and since my SC email Options include the "Composite Blocking List" blacklist, you'd think that this one would have been sent to my Held Mail. I've compared the time stamps....here's what the CBL folks say about that IP:

IP Address 201.9.105.210 was found in the CBL.

It was detected at 2004-07-05 22:00 GMT (+/- 30 minutes).

Here's the timestamp at which it hit SpamCop's servers:

6 Jul 2004 00:29:54 -0000

which is two and one half hours later. Seems that should be long enough for the IP to register during SC processing, but I guess it's not? Does someone know for sure (please don't speculate).

TIA,

David

Link to comment
Share on other sites

I'd like to know why the SC email system doesn't currently offer the "dnsbl.njabl.org" on the DNS blacklists offered in the "select your email filtering blacklists" option?

While parsing some spam that got through my current settings, some of it is showing as being "listed in dnsbl.njabl.org ( 127.0.0.4 )" (and the "4" at the end indicates its in their "spam Sources" list). For example, I got a mainsleaze item hawking DeVry University that would have been caught, were this to be an option. Here's the Tracking URL for that particular spam:

http://www.spamcop.net/sc?id=z536701815zee...5e4f1fa612625bz

(please don't move this item to the end of my earlier "non-SC blacklists not working?" thread....hardly anyone will go all the way to the end of that thread just to see this, and I think it's a new angle on the issue, anyway) :)

This one will probably need an answer from JT...yes?

David T.

Link to comment
Share on other sites

(please don't move this item to the end of my earlier "non-SC blacklists not working?" thread....hardly anyone will go all the way to the end of that thread just to see this, and I think it's a new angle on the issue, anyway) 

This one will probably need an answer from JT...yes?

Yes, and as I requested that he actually go through this entire Topic and it actually is "more of the same" (non-action taken by the filter even though showing as 'listed'"), I contend it is the same subject, and more importantly, it's "your" issue to get answered. When JT does get around to filling in the blanks, then I'm hoping to go back to the FAQ referenced a couple of times today and try to update it.

Link to comment
Share on other sites

...it actually is "more of the same" (non-action taken by the filter even though showing as 'listed'"), I contend it is the same subject

No...wait...that's NOT true! AFAICT, the "dnsbl.njabl.org" is NOT currently an option that SC email users can select. It's reported during the web-based parsing, but I don't think it's used to actually block any mail. So, this message was not about "non-SC blacklists not working" at all...it was a request to add a new blacklist in the SC email Options.

I respectfully request that you restore it, complete with my original Subject and subtitle.

David

Link to comment
Share on other sites

I'd like to know why the SC email system doesn't currently offer the "dnsbl.njabl.org" on the DNS blacklists offered in the "select your email filtering blacklists" option?

Because I'm not sure it's really all that effective. Not compared to what we already have.

See this page that compares the blacklists. The dnsbl.njabl.org results aren't all that great, especially when you subtract out the dialup portion of the results. The lists we do use, like SORBS and CBL block several times more spam than that one.

JT

Link to comment
Share on other sites

I've just run a spam that got by my SC settings through the web reporting system...here's the Tracking URL:

http://www.spamcop.net/sc?id=z535217371z39...292f932fddee63z

First, if you take a look at the parsing, you'll see that there were supposedly "no links found" but there's a bold http spamvertised site in the middle of the spam:

<b>http://www.pkjen.com/mcam.html</b>

It's not wrapped in an anchor link....is that required in order for the engine to pick it up as a spamvertised link?

Yes, the anchor link would be required, based on the Context-Type identification in the headers, then followed by the Context-Type defined in the particular Boundary line preceding the block of stuff your URL was located in .. specifically;

----2041697246815200

Content-Type: text/html;

Content-Encoding: bitbitNUM

(and what the heck "bitbitNUM" is supposed to be, I haven't a clue.)

Link to comment
Share on other sites

I'd like to know why the SC email system doesn't currently offer the "dnsbl.njabl.org" on the DNS blacklists offered in the "select your email filtering blacklists" option?

Because I'm not sure it's really all that effective. Not compared to what we already have.

See this page that compares the blacklists. The dnsbl.njabl.org results aren't all that great, especially when you subtract out the dialup portion of the results. The lists we do use, like SORBS and CBL block several times more spam than that one.

OK, I'll bite...here's what's currently offered in the SC webmail system, with numbers from the chart in your URL:

bl.spamcop.net 2846

l1.spews.dnsbl.sorbs.net 2509

list.dsbl.org (not listed)

sbl.spamhaus.org 1535

korea.services.net 2351

cn.rbl.cluecentral.net (not listed)

nigeria.blackholes.us 23

argentina.blackholes.us 132

brazil.blackholes.us 661

cbl.abuseat.org 9877

xbl.spamhaus.org 9870

dnsbl.sorbs.net 4490

(this last one is tricky...had to add up all the non-dynamic zone totals, meaning 127.0.0.2 .3 .4 .5 .6 .7 .9)

Doing the same for dnsbl.njabl.org, I arrive at 2380 (which excludes the dialup results, but includes zones 127.0.0.2 .4 .9). That puts it someone in the middle of your list, if my methodology and mathematics are valid. However, in another thread, I asked about the possiblity of including zones that report dynamic IPs. I asked if the system could be programmed to identify and block messages that were delivered directly from a dynamic IP to a member's mailhost (assuming that we all eventually have to identify our downstream mailhosts).

BTW, the URL you gave us was archived for a specific date. The URL for the most recent update at that site seems to be:

http://www.sdsc.edu/~jeff/spam/cbc.html

(for future reference and bookmarking purposes)

My understanding of all this is in a very rudimertary state, but my goal is simply to reduce the amount of junk that gets by the SC system and into my POP client's inbox (proud Pegaus user for many, many years). I wish this post wasn't number 35 on page three of a tired-out thread, but oh well....

B)

David T.

Link to comment
Share on other sites

  • 3 weeks later...

I'm resurrecting just a minor issue from this old thread, in that I've found some SC FAQ information that contradicts the following:

If I understand your statement correctly you are refering to editing a message that your are reporting as spam.

Note: there are NO unnecessary lines when reporting spam.

The spam message should never be edited (the only exception being that of munging personal data, which if done must also include the additional disclaimer that you have munged the data.

12781[/snapback]

Actually, judicious editing does seem to be permitted when submitting spam for parsing/reporting. I found this in the FAQ under "Material Changes to spam" here:

http://www.spamcop.net/fom-serve/cache/283.html

Specifically, it states:

Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

So, as long as I didn't make any edits that caused the parsing to find anything that it otherwise wouldn't have found, what I did was OK. However, there is at least one exception to this idea, also found on the same FAQ page:

If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes.

Just setting the record straight, although I now report almost exclusively using the tools found in the webmail system, so I don't mess with the originals any more.

DT

Link to comment
Share on other sites

  • 9 months later...
the Subject line of the thread probably out to be something like "questions about the non-SC blacklists."

12765[/snapback]

I renamed the Topic Title from "non-SC blacklists not working?" to "questions about the non-SC blacklists" per the above request.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...