CF RULES

Steve Freegard steve.freegard at LBSLTD.CO.UK
Mon Jan 19 14:27:01 GMT 2004


I personally use BigEvil, Tripwire, Popcorn/Backhair/Weeds and Chickenpox
and haven't had any problems with FP's.

However - as I have a reasonably well trained bayes database, I modify the
low-end and high-end bayes scores just to be on the safe side:

score BAYES_00  -15.0
score BAYES_01  -5.0
score BAYES_90  5.0
score BAYES_99  15.0

As I did this quite some time ago - the recently misused HABEAS_SWE headers
didn't affect me at all:

SpamAssassin Score: 44.16
Spam Report:
Score   Matching                        Rule Description
15.00   BAYES_99                        Bayesian spam probability is 99 to
100%
0.10            BIZ_TLD                         Contains a URL in the BIZ
top-level domain
3.00            BigEvilList_131         Generated BigEvilList_131
0.75            DATE_IN_PAST_12_24      Date: is 12 to 24 hours before
Received: date
-8.00   HABEAS_SWE                      Has Habeas warrant mark
(http://www.habeas.com/)
0.10            HTML_50_60                      Message is 50% to 60% HTML
0.10            HTML_MESSAGE HTML       HTML included in message
17.00   J_BACKHAIR_XX           (Matched 17x BACKHAIR rules - snipped)
1.20            J_CHICKENPOX_XX         (Matched 2x CHICKENPOX rules -
snipped)
0.32            MIME_HTML_ONLY          Message only has text/html MIME
parts
1.10            MIME_HTML_ONLY_MULTI    Multipart message only has text/html
MIME parts
3.51            PYZOR_CHECK             Listed in Pyzor
(http://pyzor.sf.net/)
1.10            RAZOR2_CF_RANGE_51_100  Razor2 gives confidence between 51
and 100
1.05            RAZOR2_CHECK            Listed in Razor2
(http://razor.sf.net/)
1.50            RCVD_IN_BL_SPAMCOP_NET  Received via a relay in
bl.spamcop.net
5.00            RCVD_IN_CBL             Received via a relay in
cbl.abuseat.org
0.10            RCVD_IN_RFCI            Sent via a relay in
ipwhois.rfc-ignorant.org
1.23            WHY_WAIT                        What are you waiting for

Seems to work well for me as long as I make sure that the bayes database is
well fed...

Cheers,
Steve.

-----Original Message-----
From: Michele Neylon :: Blacknight Solutions
[mailto:michele at BLACKNIGHTSOLUTIONS.COM]
Sent: 19 January 2004 11:12
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: CF RULES


How effective is this?

My main concern with implementing extra rules is the risk of generating
false positives..

Mr. Michele Neylon
Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9137101
Lowest price domains in Ireland

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 19 January 2004 10:56
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: CF RULES
>
>
> I'd recommend the tripwire rule from Chris Santerre's page to hit
> these:
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Howard
> > Sent: 19 January 2004 03:20
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: CF RULES
> >
> >
> > I've got the following running fine and was wondering if anyone had
> > any comments if I should be running more or less:
> >
> > -rw-r--r--    1 root     root         6051 Jan 15 13:34 backhair.cf
> > -rw-r--r--    1 root     root        68703 Jan 17 22:56 bigevil.cf
> > -rw-r--r--    1 root     root        22814 Jan 17 09:18 chickenpox.cf
> > -rw-r--r--    1 root     root          302 Jan 16 17:37 local.cf
> > -rw-r--r--    1 root     root         5589 Jan 15 13:36 popcorn.cf
> > -rw-r--r--    1 root     root        13914 Jan 18 22:03 uri.cf
> >
> > Also, does anyone have any comments on running:
> > http://www.stearns.org/sa-blacklist/sa-blacklist.2004011401.uri.cf
> >
> > Lastly, I get a bunch of these text body mails:
> >
> > ucecx ldlmdeh djszrvp vphflvpyh utctkz lwnmy ftxmu
> > fdodpur ypyced pydsdqeho yfbdhl- ypfoapf- sworudtew sagwngon loxkx
> > qzderwd camnjcwr
> > vxexbqasb, rdtgq zldvrcrh fctzx rarsf.
> > zznhavso poxgr. uosuxfvdb vbdyq fzwntsti atdyr nomottvm inlpzlgf dkazd
> > fxsowmz kevki ffnznyor cczmfwv
> > swktch qfttob herbri chzddvvpq- ipaceshqg
> >
> > What filter would take care of this?
> >
> > Thanks
> >
>

--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner (www.mailscanner.info) for the presence of computer viruses.



More information about the MailScanner mailing list