[Mimedefang] Cross-Post about SA Rule RCVD_IN_DYNABLOCK returning false positives

VonEssen, John VonEssJ at intelihealth.com
Wed Oct 1 12:30:01 EDT 2003


It's definitely an SA topic, but thought there would be some interest
here.

I still don't understand why so much weight would be given to
blacklisting originating IPs of email (not the originating SMTP IP, but
the originating IP of the client sender). For example, according to my
logs, the entire Comcast Cable Modem user group in Philadelphia is being
blacklisted by DYNABLOCK. So every "innocent" soul that sends email
(from their outlook client, etc.,.) is being potentially blocked
somewhere. Blocking Dialup/DSL IPs of users who run their own local SMTP
server for spamming... now that's a different story. But that is not
what DYNABLOCK is doing.

Obviously, I'll just remove the DYNABLOCK test from SA. But like I said,
the last couple of weeks/months have been very annoying given all these
RBL issues. I might drop all of them except for a few (ORBD, SpamCop,
etc.,.) and rely mainly on PYZOR, DCC, and content filters.

-John

-----Original Message-----
From: Kevin A. McGrail [mailto:kmcgrail at pccc.com] 
Sent: Wednesday, October 01, 2003 10:49 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Cross-Post about SA Rule RCVD_IN_DYNABLOCK
returning false positives

John,

One of the reasons I love SpamAssassin is that it really boils down to a
fabulous scoring system.  While each individual test may not be perfect,
the
combination of all the tests produces one of the lowest false positives
rates possible.  If a test comes along that can determine SPAM/HAM with
greater veracity, it can simply be added to the scoring system and
weighted
accordingly.

Additionally, there is a lot of science of running the combined weights
of
the scoring system against corpuses of known ham and known spam to
compare
these type of things.

However, your question regarding what Dynablock does in SpamAssassin is
it
simply implements an RBL.  So an email comes in and SpamAssassin submits
a
request to Dynablock regarding that emails specifics and receives a yes
or
no.  Dynablocks policy and what that RBL does would be a question for
them,
NOT mimedefang or spamassassin.

Largely their reason to exist is to block dial-up IP addresses.  I don't
believe this needs any flushing per se.  They simply try and maintain
accurate lists of dial-up IPs.  However, again, ask them.

Finally, the default weight as of 2.60 SpamAssassin for this test is 2.6
(no
correlation).  You might find that your SA works better by weighting
this
rule lower by adding score RCVD_IN_DYNABLOCK 1.3 in your configuration.

You might find that RBLs in general are too risky for you and you might
want
to petition for a configuration like ALL_RBL_TESTS 0.50 for a weight
change
to all of them.  We achieve this in a way by typically raising the
default
SPAM threshold to 7.

Regards,
KAM

> I am very confused as to what RCVD_IN_DYNABLOCK does in SpamAssassin.
I
> have been looking at my logs and it appears that a lot of my clients
> email is being tagged with RCVD_IN_DYNABLOCK.
>
> Most of my clients access the internet via Comcast Cable Modem or DSL.
> Is the purpose of DYNABLOCK to record client IP's (i.e. IP addresses
of
> the clients Cable/DSL connection) that are known to be the source of
> SPAM (even though they are only relaying to an SMTP box via Outlook or
> something)? So if some client computer got infected with a worm and it
> started mailing out a bunch of crap (through the ISP's relay server)
the
> client IP would be tagged, and NOT the ISP's relay server.
>
>
> If this is the case, does DYNABLOCK flush out its database of bad
client
> IP's?
>
> I don't know if I agree with the logic of how DYNABLOCK works.
> Obviously, it causes me a headache trying to explain to my clients why
> their mail was not delivered. I'll never get an answer from
> dynablock.easynet.nl as to why my clients IP's were tagged as BAD.
This,
> combined with the DoS attacks on RBLs (which in turn cause the RBLs to
> return false positives), is starting to make me very weary about using
> RBL's - everytime I turn my back I am getting bit in the ass.
>
> Why would we blacklist client IP's who relay mail through an ISP's
mail
> server. Most ISP's are responsible enough to track down serious
spammers
> on their network. And, YES, every once in awhile, a DSL client
computer
> gets infected and starts sending spam - but it is quickly contained.

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang




More information about the MIMEDefang mailing list