On 07/13/2017 05:26 PM, Alex wrote:
Hi,
Are you paying for DCC? I think we're over their limit and they
blacklisted us long ago, lol.
I have my own DCC server joined into the DCC network.
https://www.dcc-servers.net/dcc/
So you only provide spam services for your own users? Or do you pay?
Our DCC server was setup 6+ years ago by a previous mail sysadmin before
I started working at my current job. We don't budget or pay anything
annually for DCC. We are peered with another DCC server in their
network. All I know is that we must keep our current IP address the
same to maintain the peering. I have one DCC server that I point my 8
mail filters to.
I am classifying about 10K ham and 8K spam each day which I also use in the
masscheck processing (currently on hold). Since I have started doing this
Through autolearn?
It is otherwise extremely time-intensive.
Actually I have found some rule combinations and score thresholds that
are definitely ham/spam. I have built an iRedMail VM with no RBLs,
postscreen, or other MTA optimizations and disabled some things in
amavis-new so spam will get to SA. Ham comes from a subset of my
primary SA filters based on SHORTCIRCUIT rules and very low scoring
messages.
I setup Inbox rules to move certain messages into ham/spam folders. I
have to login once a day and spend a few minutes quickly reviewing the
unread messages and marking them as read. My masscheck and SA learning
uses the read folder (Maildir cur directory).
Yep. Again my block threshold is 6.0 in MailScanner and I have less default
trust for FREEMAIL senders. I also have meta rules based on FREEMAIL and
other hits that add to the score based on combinations I have seen over the
years.
Adjusting many of the default rules disrupts the score balance created
by masschecks, no?
Correct. Before I knew about the masscheck processing and what it does,
I used to adjust the scores on most of the rules which was time
consuming just like re-actively creating rules for new spam campaigns.
A few months ago I removed most of my custom scores on default SA rules
and I use meta rules to combine hits on certain rules to add some points.
I want to avoid having to juggle scores around, in addition to already
worrying about writing rules that ultimately have the same effect as
existing metas.
2.2 ENA_DIGEST_FREEMAIL Freemail account hitting message digest spam
seen by the Internet (DCC, Pyzor, or Razor).
Are you worried about overlap between the checksum systems?
I've enabled DCC again today, and remembered what I don't like about
it. Do you have DCC_CHECK at its default 1.1 score? That's quite high
for something described as "bulk mail" when bulk mail is already
scored very close to 5.0.
If you follow my logical separation of rules into reputation-based and
content-based then DCC, RAZOR, and PYZOR are going to fall into the
content side. You still have the reputation rules that will lower the
score and offset these DIGEST rules. Plus with many SHORTCIRCUIT'd
senders based on whitelist_auth and whitelist_from_rcvd, the
trusted/safe bulk senders with a valid unsubscribe process will pass
through fine.
How much more effective do you find DCC than PYZOR? That's already
scored at 1.4.
Haven't really had to worry about this with SHORTCIRCUIT'ing and
whitelist_auth on the envelope-from domain (SPF_PASS + non-human account
domains).
I have no idea. I just analyzed my mail scoring and noticed combinations
like DCC and FREEMAIL are common in my spam.
That's a good combination.
The ENA_BAD_SPAM rule is a combination of 2 different types (reputation and
content) rules with an AND between them. For example (this is is about
one-third of the rule):
Is it usable like this?
Try it out with a score of 0.001 and see what you think. It should have
been valid. Just drop it in and run:
spamassassin -D --lint 2>&1 | /bin/grep -Ei '(failed|undefined
dependency|score set for non-existent rule)' | /bin/grep ENA_
You can also run the first section and check for a zero return code. I
have a config distribution script that runs the first part above and
will not send it out if the return code is not zero.
/etc/mail/spamassassin/99_mailspike.cf
shortcircuit RCVD_IN_MSPIKE_H5 on
score RCVD_IN_MSPIKE_H4 -3.2
score RCVD_IN_MSPIKE_H3 -2.2
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 1.2
score RCVD_IN_MSPIKE_L4 2.2
score RCVD_IN_MSPIKE_L5 3.2
The default scores for these rules are all almost 0 when bayes and
network tests are enabled. I've adjusted the L[2-5] rules from 0.2 to
1.2. Took a quick look at a handful of L5 mail and anything higher
would be problematic.
Hope this is helpful.
Thanks, as always.
--
David Jones
--
David Jones
