[Mimedefang] Cross-Post about SA Rule RCVD_IN_DYNABLOCK returning false positives

[Kevin A. McGrail]

John,

One of the reasons I love SpamAssassin is that it really boils down to a
fabulous scoring system.  While each individual test may not be perfect, the
combination of all the tests produces one of the lowest false positives
rates possible.  If a test comes along that can determine SPAM/HAM with
greater veracity, it can simply be added to the scoring system and weighted
accordingly.

Additionally, there is a lot of science of running the combined weights of
the scoring system against corpuses of known ham and known spam to compare
these type of things.

However, your question regarding what Dynablock does in SpamAssassin is it
simply implements an RBL.  So an email comes in and SpamAssassin submits a
request to Dynablock regarding that emails specifics and receives a yes or
no.  Dynablocks policy and what that RBL does would be a question for them,
NOT mimedefang or spamassassin.

Largely their reason to exist is to block dial-up IP addresses.  I don't
believe this needs any flushing per se.  They simply try and maintain
accurate lists of dial-up IPs.  However, again, ask them.

Finally, the default weight as of 2.60 SpamAssassin for this test is 2.6 (no
correlation).  You might find that your SA works better by weighting this
rule lower by adding score RCVD_IN_DYNABLOCK 1.3 in your configuration.

You might find that RBLs in general are too risky for you and you might want
to petition for a configuration like ALL_RBL_TESTS 0.50 for a weight change
to all of them.  We achieve this in a way by typically raising the default
SPAM threshold to 7.

Regards,
KAM

> I am very confused as to what RCVD_IN_DYNABLOCK does in SpamAssassin. I
> have been looking at my logs and it appears that a lot of my clients
> email is being tagged with RCVD_IN_DYNABLOCK.
>
> Most of my clients access the internet via Comcast Cable Modem or DSL.
> Is the purpose of DYNABLOCK to record client IP's (i.e. IP addresses of
> the clients Cable/DSL connection) that are known to be the source of
> SPAM (even though they are only relaying to an SMTP box via Outlook or
> something)? So if some client computer got infected with a worm and it
> started mailing out a bunch of crap (through the ISP's relay server) the
> client IP would be tagged, and NOT the ISP's relay server.
>
>
> If this is the case, does DYNABLOCK flush out its database of bad client
> IP's?
>
> I don't know if I agree with the logic of how DYNABLOCK works.
> Obviously, it causes me a headache trying to explain to my clients why
> their mail was not delivered. I'll never get an answer from
> dynablock.easynet.nl as to why my clients IP's were tagged as BAD. This,
> combined with the DoS attacks on RBLs (which in turn cause the RBLs to
> return false positives), is starting to make me very weary about using
> RBL's - everytime I turn my back I am getting bit in the ass.
>
> Why would we blacklist client IP's who relay mail through an ISP's mail
> server. Most ISP's are responsible enough to track down serious spammers
> on their network. And, YES, every once in awhile, a DSL client computer
> gets infected and starts sending spam - but it is quickly contained.