Here
are a few things you can try, if you find that SpamPal is too slow,
or isn't catching enough spam:
|
2. Checking DNSBL Effectiveness
2.1 Checking DNSBL Effectiveness - Using the Status
Screen
2.2 Checking DNSBL Effectiveness - Using Headers
3. Improving SpamPal's Effectiveness
3.1 Improving SpamPal's Effectiveness: DNSBL lookup
3.2 Improving SpamPal's Effectiveness: Using DNSBL
Cache
3.3 Improving SpamPal's Effectiveness: Using Plugins
3.4 Improving SpamPal's Effectiveness: Slow down checks
for new mail
|
- Whitelist
every email address you know you want.
- Don't
use more DNSBLs (Public Blacklists) than you need.
- Some
email programs, such as Outlook have a Junk Mail facility
which will blacklist email address, it's normally a good
idea to disable this feature (which will give you a small
speed boost) and just use SpamPal to do the work.
- Use
the ignore-
list
feature to ignore the IP addresses of your own ISP mail
servers
- You
can also tune the number of connections SpamPal makes; go
to the advanced settings and increase the Maximum
Simultaneous DNSBL queries to 50
(if you are on broadband/cable/adsl)
- Don't
set the caching times too low
|
|
::Top:: |
| By
using the SpamPal Status page (right click on the Systray Umbrella
and select Status), you'll be able
to see which of DNSBLs you are using and how effective they have been
during a recent session.
If you look at the statistics on SpamPal's status screen, it will
show you the hit rates being achieved by the various DNSBLs you
are using for recent queries. You will probably notice that some
of the DNSBLs regularly give high numbers, 20-50%,
and others may be very low, or even zero hits.
Deselecting the ones with low
hit rates will probably improve speed without affecting your spam
detection capability.
For example, in the screen
below, it looks like Spam-RBL
has caught little spam in this session and therefore, may be a good
idea to deselect this from your list of DNSBLs (public blacklists),
in order to save time.
|
|
|
::Top:: |
| When
you have an email which is clearly spam to you but has slipped though
SpamPal. Use the following procedure, to see if there are other DNSBLs,
which would have caught this spam.
Get the full mail headers
from your mail. How you do that varies from email program to email
program,
but they almost all have a method somewhere within the program..
The full mail headers means you
need the Received From lines,
e.g.
Return-Path: <Pamela5J@hotmail.com>
Received: from sender244 (clarksville-24-159-56-139.midtn.chartertn.net
[24.159.56.139])
by xxx.xxxxx.co.uk (8.11.6/8.11.6) with ESMTP id h6888HN06418
for <xxxxx@xxxxx.co.uk>; Tue, 8 Jul 2003 09:08:18 +0100
Message-Id: <200307080808.h6888HN06418@xxxxx.xx.xx>
Now, go to http://openrbl.org/
and do a lookup on the IP address (24.159.56.139)
Wait for your address to be processed and look out for the following
line:
Results: Positive=9,
Negative=23
If you look for the DNSBL's in Red
you could add one of those to SpamPal's current list of DNSBL's
in order to try to improve performance of the DNSBL checks.
If none are Positive
then adding more DNSBLs to the list in SpamPal... isn't likely to
have caught the spam, as it wasn't listed in the major DNSBLs, at
the time you checked your mail.
You can further investigate an IP number using
the Moensted blacklist checker, at http://moensted.dk/spam/
or the DNSStuff database checker, at www.dnsstuff.com
|
::Top:: |
| These
settings can be found in the Advanced
panel of SpamPal's options. On the same page, you should have a DNSBL
time out setting of 10
to 20 seconds, and a maximum
number of simultaneous DNSBL queries
of about 25
should be a good choice for most people. |
::Top:: |
You should also look
at the cache times on DNSBL checks. The
caching improves speed but may
lead to slightly less accurate results. Unless speed is a problem
for your connection, the best results will come from setting SpamPal
to remember positive (Spam) results for three
days, and negative
(legitimate mail) results for zero days,
twelve hours. These settings
can be found
in the Advanced panel of SpamPal's options.
On the same page, you should have a DNSBL time out setting of 10
to 20 seconds, and a maximum number of
simultaneous DNSBL queries of about 25
should be a good choice for most people. |
::Top:: |
|
If you are still not catching enough spam then
you are better trying alternative strategies, not just piling on
more DNSBLs. Look at the available plugins.
There is one called URLbody
which will apply DNSBL checks on the websites listed in the spam
mails. Although spammers can disguise their email address and send
the mail through circuitous routes, they still need to advertise
their website in the spam they send you, so this plugin can be very
effective at trapping them.
RegEx will examine
the body of mails for a whole mess of different phrases and other
good solid indicators of spam, and both of those should pick up
lots of spam, although I think there is a slightly higher risk of
false positives with RegEx patterns. However, the latest version
uses a combined scoring system which should greatly improve its
discrimination sensitivity. Some people
have reported catching well over 90% of the spam just using RegEx
and no DNSBLs at all.
The MX blocker
is used to detect mails which are sent through desktop MX programs
on dial-up lines, a common tactic of spammers. You may find this
mops up lots of spam which is escaping the DNSBLs. However, use
with caution initially as desktop MX is a legitimate tool which
is used for legitimate purposes so you may find you need to whitelist
a few regular correspondents.
There is also a Bayesian
plugin which takes a completely different approach to detecting
spam, although the nature of it means it is perhaps more likely
to get false positives to begin with and it does need a period of
training to learn the patterns in your email.
As with DNSBLs, do
not just install everything at once because it will just
be overkill.
Try the plugins one at a time and
find out what is working best for you.
|
::Top:: |
A more likely
cause of poor DNSBL performance is that you are checking your mail
too often.
We have found that from the time a wave of spam starts, it takes about
30 minutes before the culprit IP
numbers start appearing on the DNSBLs. If you are checking your mail
at one minute intervals then you are probably downloading the spam
before the DNSBLs have had a chance to react.
Change the settings in your mail program to only download mail at
30 minute intervals or longer, or
even just to download manually, and you should find a big improvement
in DNSBL performance.
Despite what people often think, the world will not end if you don't
get your emails within a minute of someone sending it. |
::Top:: |
|
