SURBL scoring

David Hooton david.hooton at GMAIL.COM
Wed Jul 14 02:11:25 IST 2004 

On Tue, 13 Jul 2004 17:07:14 -0400, John Lundin <lundin at cavtel.net> wrote:
> (cough) Well, since no one else spoke up... IMO, you should worry.
> And the problem is about to get worse; there's a new list in beta.

Hi John,

We use SURBLs extensively for our mail filtering - we do however as
you've mentioned sanitise them using a few methods..

1) We run our own internal "Trusted" lists, both white and black
2) We weight the surbl.org lists such that it would take 3 or more of
them to have a domain listed in order for them to take the message
over the high score point.
3) We test any new lists for a week with a tiny score, then adjust
scoring after a weeks testing for FP's etc.

> A few days after adding WS to spamcop_uri, I had a friend's letter
> wind up in my spam folder. He was building a new computer and had sent
> me a parts list for comment. One of his possible suppliers turned out
> to be in SC and WC. (You can guess what one of my comments was.)

We find that Bayes generally balances this out - however if you don't
have a well fed bayes DB you may not see the full benefot in this
case.

> FWIW, I maintain MS on one old spam-ridden site. About 95% of its
> inbound mail currently scores as spam. 83% of that spam hits at least
> one URI_RBL rule. 31% of spam (37% of spam hits with URI_RBL's) hit
> all four of AB, OB, SC and WS, and 53% (63%) hit three or more! Of the
> "non-spam", 1.4% still has at least one URI_RBL hit.

We're finding similar results with SURBL's they are yet another great
way to push scores up further :)

> What I added to spamcop_uri.cf (first pass):
>
> meta OB_SC_URI_RBL (SPAMCOP_URI_RBL && OB_URI_RBL)
> describe OB_SC_URI_RBL  Compensate if both spamcop and OB trigger
> score OB_SC_URI_RBL     -1.5
>
> meta AB_SC_URI_RBL (SPAMCOP_URI_RBL && AB_URI_RBL)
> describe AB_SC_URI_RBL  Compensate if both AB and SC trigger
> score AB_SC_URI_RBL     -1.5
>
> meta OB_WS_URI_RBL (OB_URI_RBL && WS_URI_RBL)
> describe OB_WS_URI_RBL  Compensate if both WS and OB trigger
> score OB_WS_URI_RBL     -1.0

Nice idea..  Might have a play with it myself :)

> I'd be interested to know what other people do to fix this.

Hope I've helped fill in some gaps :)
--
Regards,

David Hooton

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list