Reputation threshold?

Vincent Fox vbfox@ucdavis.edu
Fri Feb 1 23:27:22 UTC 2013


Ah I see.

I find it puzzling now that I think about, we are scoring
reputation on one mail router at present, and from looking
at the sendmail logs I don't see any X-DCC noted.  Perhaps
it's not included in sendmail logging though.  I suppose the
utility of it would be if clients had their mail apps trained
that certain headers should be filtered?  We do something
like that already, our SA scores above a threshold trip
inclusion of  "X-UCD-MS-Spam-Score: *****" so Outlook clients
can be setup if desired to take action on that.

We are using Spamassassin 3.3.x included with RHEL6.
I don't think we will use SA 3.4 series in the near future.
We try to stay with what the distro is providing in their
repository and RedHat typically updates major versions
in their next release of the OS.

Thanks!

On 1/31/2013 8:07 PM, Vernon Schryver wrote:
>> From: Vincent Fox <vbfox@ucdavis.edu>
>> However I am still unclear on the meaning of this setting:
>>
>> "option threshold rep,20%"
>> So does it mean that if you pick 40%, that the IP is 40% bulk and 60%
>> non-bulk?
> I don't understand that question, because nothing on an SMTP server
> (mail receiver) can change the ratio of bulk mail to total mail
> seen from an IP address.  The ratio of bulk to total mail sent from
> an IP address is whatever it is.
>
> The line "option threshold rep,20%" tells a DCC client such as dccm
> or dccifd to assume that any message from an SMTP client (mail sender)
> at any IP with a DCC Reputation of 20% or higher must be assumed to
> be bulk mail.  X-DCC headers added to such mail will include the string
> "bulk".  If the global /var/dcc/whiteclnt file or a relevant per-user
> whiteclnt file contains the line "option DCC-rep-on" and if the message
> is not whitelist by lines in the global or per-user whiteclnt file,
> then dccm will tell sendmail or dccifd will tell postfix, exim, or
> SpamAssassin that the message is spam that should be rejected or whatever.
>
> The DCC reputation of an IP address is simply the ratio of the
> number of mail messages sent to at least 10  or more targets from
> the SMTP client at that IP address (as seen by all DCC reputation
> servers) to the total number of messages seen from that IP address.
>
> A DCC reputation of 40% for an IP address implies that a new message
> from that IP address has a probability of being bulk (>10 targets)
> with at least 40% probability.
>
>
>> What does it do with this threshold?  It doesn't appear to be a cutoff
>> since I still see
>> mail on my test server scoring in the lower bands.
> Unless DCC Reputations are turned on with a "option DCC-rep-on" line,
> only X-DCC headers are affected.
>
> However, judging from some numbers on the server status web pages
> for {dcc1,dcc2}.ucdavis.edu, you are using SpamAssassin.  If that
> is the case, then dccm/dccifd/dccproc have no direct effects on
> received mail.  You can use the /var/dcc/whiteclnt thresholds to
> change with "bulk" appears in the X-DCC lines that SpamAssassin
> check.  You can also use reputation threshold settings in the new
> SpamAssassin DCC.pm plugin in /var/dcc/build/misc/DCC.pm.
> That file is very similar to the DCC.pm that will be in SpamAssassin 3.4
> someday.  See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6698
> https://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DCC.pm
>
> There is a feature in that new version of DCC.pm that I think is useful
> for all sites and not only those using DCC Reputations.   As described
> in `perldoc /var/dcc/build/misc/DCC.pm`, there is a new dcc_learn_score
> parameter that causes SpamAssassin to report a message that SpamAssassin
> says is spam to DCC with a count of "many".  That can help SpamAssassin
> see later copies of the same message as spam even if new headers or
> client IP addresses don't trigger SpamAssassin rules.
>
>
> Vernon Schryver    vjs@rhyolite.com




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.