Spam Weather Log Analyzer (SPWX) for Declude now available!
Idea shared by Linda Pagillo - May 11 at 10:39 AM
Proposed
We here at Mail's Best Friend have received several requests from SmarterMail users to create a utility which can analyze Declude logs and provide detailed statistics in reference to which RBLs, tests and filterswithin Declude are working best on your server to catch the most spam with the least amount of false-positives. Our new utility is called Spam Weather Log Analyzer (SPWX). If you are interested in learning more about SPWX,please check out the following link:https://store.mailsbestfriend.com/product/spwx-log-analyzer/. Please reach out to me at linda.pagillo@mailsbestfriend.com and for a limited time, I can offer you a discount coupon. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

5 Replies

Reply to Thread
1
Hi everyone. I have some useful info to share with you that we discovered today using our SPWX program.
 
Need to know:  MBF suggests the removal of the DSN test from your Declude global.cfg
 
DSN                                       RHSBL   dsn.rfc-clueless.org                        127.0.0.2              3              0
 
Detailed Explanation:  Domains are listed in the dsn.rfc-clueless.org zone based on, delivery status notification for failed delivery attempts are sent from a null address ("<>") which must be supported according to STD10 and its subsequent forms. Failure to accept mail from the null address could cause undue burden for other postmasters, and is eligible for listing. Rejecting delivery status notifications is usually caused by a misconfiguration in the mail server itself rather than being domain-specific. For this reason, domains that share an MX record with another domain already listed will also be automatically listed. RFC 2505 (Anti-Spam Recommendations) reiterates the necessity of accepting mail to the null address.
 
MBF data shows that the majority of cases this test is triggering it is a false-positive, most likely because legitimate mail servers are not abiding by RFC 2505. This test only adds 3 points to the final score and considering it is incorrect more than 50% of the time MBF suggests that this test does not to add sufficient value to the overall weighting and should be removed from the global.cfg see data snippet below:
 
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Linda,
 
The Spam Weather Log Analyzer is a nice tool. We've been doing something similar in our anti-spam audits manually using grep and then playing with the piped data in a spreadsheet. This tool would be a great time-saver for us (and allow us to monitor the effectiveness of our anti-spam tests more frequently than once a year). Hopefully management will see how much payroll time it could save and allow us to purchase a license.
 
Also, nice catch on dsn.rfc-clueless.org. We disabled .fulldom.rfc-clueless.org and dsnfc-clueless.org spring of 2016 because of too many false positives. However, the postmaster.rfc-clueless.org, abuse.rfc-clueless.org, bogusmx.rfc-clueless.org are still giving us good results (not sure how useful the whois.rfc-clueless.org is going to be going forward once WHOIS is made private after the GDPR).
0
Thank you! I appreciate your interest in SPWX. Please let me know if you have any questions about it and I will be happy to answer them for you. Take care!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Hi guys. More interesting data for you:
 
Need to know:  This test requires Message Sniffer. MBF suggests a minimum weight of 25 or more SNIFFER-TRUNCATE in your Declude global.cfg
 
SNIFFER-TRUNCATE        external               020         "[FULL PATH]\SNFClient.exe"     25           0
 
Detailed Explanation:  The statistics indicate with high certainty any messages triggered by this test are spam or malware. Emerging threats are often detected more quickly on Truncate than other lists, but Truncate isn't designed to catch everything. It has a short memory. It's also extremely good at avoiding false positives because Message Sniffer has an extremely low false positive rate and Truncate only skims a tiny fraction of that data.
 
MBF data shows that this test has an extremely high level of accuracy.  With > 99.3% accuracy this test can be set at 25+ in your Declude global.cfg see data snippet below:
 
SS - How many times did the test indicate spam and the final result agreed. Test says Spam and result was Spam. We call this an accurate spam indication.
SH - How many times did the test indicate spam and the final result disagreed. Test says Spam, but the result was Ham. We call this a false positive.
%OfSpam - Percent of Spam Accurately Tagged. As a percentage, how often did this spam test fire when the overall result was spam. This is a good measure of how much this test contributed to spam results.
 
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
HI everyone! Here is more useful data for you:
 
Need to know:  Consider using DNSWL to help identify good email. The configuration is as follows in you Declude global.cfg file:
 
DNSWL       IP4R       list.dnswl.org         *             -5            0
 
Detailed Explanation:  dnswl.org maintains a database of IP addresses which are grouped into "DNSWL Records" providing lookups for email reputation to protect against false positives. Users doing more than 100’000 DNS queries on their free public nameserver infrastructure or reselling their data as part of a commercial service need to get a subscription to download their data and serve it locally.
 
MBF statistics indicate that DNSWL identifies the IP address as valid and is correct 80-90% of the time. With this level of accuracy would suggest giving emails that trigger this test a credit anywhere from -5 to -10.
 
HH - How many times did the test indicate ham and the final result agreed. Test says Ham and result was Ham. We call this an accurate ham indication.
HS - How many times did the test indicate ham and the final result disagreed. Test says Ham, but the result was Spam. We call this a false negative.
HA - Ham Test Accuracy. Any time a test provides a negative weight it is acting as a ham test. The accuracy of that test is calculated as a Bayesian estimate of the probability that when the test fires the message is actually ham.
HQ - Ham Test Quality. If a ham test ever fires when the overall result disagreed (HS) then there is a probability that this was a false positive. Again, not a certainty -- and watch out for the terminology. We're talking about a ham test here so in this case a false positive is when the test says it ham but it turns out to be spam. Most of us are used to thinking the other way around. Here again we take the Bayesian estimate of an accurate result (HA) and use the probability of a false positive to reduce that number. P(HA) * (1 - P(FP)).
 
 
 
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread