On 07/15/2017 09:42 AM, RW wrote:
On Thu, 13 Jul 2017 18:26:54 -0400
Alex wrote:
Hi,
Are you paying for DCC? I think we're over their limit and they
blacklisted us long ago, lol.
I have my own DCC server joined into the DCC network.
https://www.dcc-servers.net/dcc/
So you only provide spam services for your own users? Or do you pay?
I am classifying about 10K ham and 8K spam each day which I also
use in the masscheck processing (currently on hold). Since I have
started doing this
Through autolearn?
It is otherwise extremely time-intensive.
Yep. Again my block threshold is 6.0 in MailScanner and I have
less default trust for FREEMAIL senders. I also have meta rules
based on FREEMAIL and other hits that add to the score based on
combinations I have seen over the years.
Adjusting many of the default rules disrupts the score balance created
by masschecks, no?
I want to avoid having to juggle scores around, in addition to already
worrying about writing rules that ultimately have the same effect as
existing metas.
2.2 ENA_DIGEST_FREEMAIL Freemail account hitting message
digest spam seen by the Internet (DCC, Pyzor, or Razor).
Are you worried about overlap between the checksum systems?
I've enabled DCC again today, and remembered what I don't like about
it. Do you have DCC_CHECK at its default 1.1 score? That's quite high
for something described as "bulk mail" when bulk mail is already
scored very close to 5.0.
And with FREEMAIL_FROM plus DCC_CHECK (or any digest) you
have
1.2 FREEMAIL_FROM
2.2 DCC_CHECK
2.2 ENA_DIGEST_FREEMAIL
0.0 ENA_BAD_SPAM
which is 5.6 points. And judging by the name, at least in some cases,
maybe all:
2.2 ENA_BAD_SPAM_FREEMAIL
which makes 7.8 points. This is something that presumably works for
him, but could cause problems in general.
I was trying to give high-level information on the difference between
reputation-based rules and content-based rules and how they can be used
in combination. For FREEMAIL, I have found that making the average
message score just below the threshold gives the maximum reliability.
Since my threshold for blocking is 6.0, I try to get the average
FREEMAIL message to score in the 3.0 to 5.0 range. With well-trained
BAYES and a few other rules that subtract (BAYES_00, good reputation,
etc.), this is working well. When FREEMAIL messages hit DCC and a few
other meta rules common in spam, then they will be over 6.0 like
mentioned above.
Each person has to examine their mail flow and scoring to determine what
will work in there environment but the concepts should still apply.
1. Create a large list of whitelist_auth and whitelist_from_rcvd for
those senders that a) aren't FREEMAIL, b) aren't human mailboxes with
potentially compromised passwords, and c) have a valid unsubscribe
link/process.
Examples:
whitelist_auth *@*.wayfair.com
whitelist_auth *@*.dunkindonuts.com
whitelist_auth *@mktgdillards.com
whitelist_auth *@*.usaa.com
whitelist_auth *@*.citi.com
whitelist_auth *@*.sophos.com
whitelist_auth *@*.myfedloan.org
whitelist_auth *@*.hiltonhonors.com
whitelist_auth *@*.usatoday.com
whitelist_auth *@*.usbank.com
2. Enable SHORTCIRCUIT'ing:
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on
3. Add in extra RBL rules that aren't included with SA. Test these with
low scores until comfortable. Lashback, senderscore.org, Mailspike and
IVM if you have a subscription.
Once you tweak the above list to your email, you should have the
reputation side covered well which will allow content-based checks to
help with the rest of the spam. Well-trained Bayes, ClamAV unofficial
signatures, DCC, Razor, Pyzor, KAM.cf, custom meta rules, etc. will all
help with the rest of the spam and you won't have to constantly react to
the latest spam campaign. You will still have to tweak and tune a
little but not nearly as much as before.
--
David Jones
