Reputation threshold?

Vernon Schryver vjs@rhyolite.com
Fri Feb 1 04:07:30 UTC 2013


> From: Vincent Fox <vbfox@ucdavis.edu>

> However I am still unclear on the meaning of this setting:
>
> "option threshold rep,20%"

> So does it mean that if you pick 40%, that the IP is 40% bulk and 60% 
> non-bulk?

I don't understand that question, because nothing on an SMTP server
(mail receiver) can change the ratio of bulk mail to total mail
seen from an IP address.  The ratio of bulk to total mail sent from
an IP address is whatever it is.

The line "option threshold rep,20%" tells a DCC client such as dccm
or dccifd to assume that any message from an SMTP client (mail sender)
at any IP with a DCC Reputation of 20% or higher must be assumed to
be bulk mail.  X-DCC headers added to such mail will include the string
"bulk".  If the global /var/dcc/whiteclnt file or a relevant per-user
whiteclnt file contains the line "option DCC-rep-on" and if the message
is not whitelist by lines in the global or per-user whiteclnt file,
then dccm will tell sendmail or dccifd will tell postfix, exim, or 
SpamAssassin that the message is spam that should be rejected or whatever.

The DCC reputation of an IP address is simply the ratio of the
number of mail messages sent to at least 10  or more targets from
the SMTP client at that IP address (as seen by all DCC reputation
servers) to the total number of messages seen from that IP address.

A DCC reputation of 40% for an IP address implies that a new message
from that IP address has a probability of being bulk (>10 targets)
with at least 40% probability.


> What does it do with this threshold?  It doesn't appear to be a cutoff 
> since I still see
> mail on my test server scoring in the lower bands.

Unless DCC Reputations are turned on with a "option DCC-rep-on" line,
only X-DCC headers are affected.

However, judging from some numbers on the server status web pages
for {dcc1,dcc2}.ucdavis.edu, you are using SpamAssassin.  If that
is the case, then dccm/dccifd/dccproc have no direct effects on
received mail.  You can use the /var/dcc/whiteclnt thresholds to
change with "bulk" appears in the X-DCC lines that SpamAssassin
check.  You can also use reputation threshold settings in the new
SpamAssassin DCC.pm plugin in /var/dcc/build/misc/DCC.pm.
That file is very similar to the DCC.pm that will be in SpamAssassin 3.4
someday.  See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6698
https://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DCC.pm

There is a feature in that new version of DCC.pm that I think is useful
for all sites and not only those using DCC Reputations.   As described
in `perldoc /var/dcc/build/misc/DCC.pm`, there is a new dcc_learn_score
parameter that causes SpamAssassin to report a message that SpamAssassin
says is spam to DCC with a count of "many".  That can help SpamAssassin
see later copies of the same message as spam even if new headers or
client IP addresses don't trigger SpamAssassin rules.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.