[Mimedefang] Cross-Post about SA Rule RCVD_IN_DYNABLOCK returning false positives
VonEssJ at intelihealth.com
Wed Oct 1 12:30:01 EDT 2003
It's definitely an SA topic, but thought there would be some interest
I still don't understand why so much weight would be given to
blacklisting originating IPs of email (not the originating SMTP IP, but
the originating IP of the client sender). For example, according to my
logs, the entire Comcast Cable Modem user group in Philadelphia is being
blacklisted by DYNABLOCK. So every "innocent" soul that sends email
(from their outlook client, etc.,.) is being potentially blocked
somewhere. Blocking Dialup/DSL IPs of users who run their own local SMTP
server for spamming... now that's a different story. But that is not
what DYNABLOCK is doing.
Obviously, I'll just remove the DYNABLOCK test from SA. But like I said,
the last couple of weeks/months have been very annoying given all these
RBL issues. I might drop all of them except for a few (ORBD, SpamCop,
etc.,.) and rely mainly on PYZOR, DCC, and content filters.
From: Kevin A. McGrail [mailto:kmcgrail at pccc.com]
Sent: Wednesday, October 01, 2003 10:49 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Cross-Post about SA Rule RCVD_IN_DYNABLOCK
returning false positives
One of the reasons I love SpamAssassin is that it really boils down to a
fabulous scoring system. While each individual test may not be perfect,
combination of all the tests produces one of the lowest false positives
rates possible. If a test comes along that can determine SPAM/HAM with
greater veracity, it can simply be added to the scoring system and
Additionally, there is a lot of science of running the combined weights
the scoring system against corpuses of known ham and known spam to
these type of things.
However, your question regarding what Dynablock does in SpamAssassin is
simply implements an RBL. So an email comes in and SpamAssassin submits
request to Dynablock regarding that emails specifics and receives a yes
no. Dynablocks policy and what that RBL does would be a question for
NOT mimedefang or spamassassin.
Largely their reason to exist is to block dial-up IP addresses. I don't
believe this needs any flushing per se. They simply try and maintain
accurate lists of dial-up IPs. However, again, ask them.
Finally, the default weight as of 2.60 SpamAssassin for this test is 2.6
correlation). You might find that your SA works better by weighting
rule lower by adding score RCVD_IN_DYNABLOCK 1.3 in your configuration.
You might find that RBLs in general are too risky for you and you might
to petition for a configuration like ALL_RBL_TESTS 0.50 for a weight
to all of them. We achieve this in a way by typically raising the
SPAM threshold to 7.
> I am very confused as to what RCVD_IN_DYNABLOCK does in SpamAssassin.
> have been looking at my logs and it appears that a lot of my clients
> email is being tagged with RCVD_IN_DYNABLOCK.
> Most of my clients access the internet via Comcast Cable Modem or DSL.
> Is the purpose of DYNABLOCK to record client IP's (i.e. IP addresses
> the clients Cable/DSL connection) that are known to be the source of
> SPAM (even though they are only relaying to an SMTP box via Outlook or
> something)? So if some client computer got infected with a worm and it
> started mailing out a bunch of crap (through the ISP's relay server)
> client IP would be tagged, and NOT the ISP's relay server.
> If this is the case, does DYNABLOCK flush out its database of bad
> I don't know if I agree with the logic of how DYNABLOCK works.
> Obviously, it causes me a headache trying to explain to my clients why
> their mail was not delivered. I'll never get an answer from
> dynablock.easynet.nl as to why my clients IP's were tagged as BAD.
> combined with the DoS attacks on RBLs (which in turn cause the RBLs to
> return false positives), is starting to make me very weary about using
> RBL's - everytime I turn my back I am getting bit in the ass.
> Why would we blacklist client IP's who relay mail through an ISP's
> server. Most ISP's are responsible enough to track down serious
> on their network. And, YES, every once in awhile, a DSL client
> gets infected and starts sending spam - but it is quickly contained.
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
More information about the MIMEDefang