[Mimedefang] DNS Lookups in MD - Was RBL and DNS lookups

Jeff Rife mimedefang at nabs.net
Tue May 15 17:29:37 EDT 2007 

On 15 May 2007 at 10:47, Kevin A. McGrail wrote:

> > Is it worth it for 0.01 point in SA?  What about 0.1?  In other words,
> > how many messages have you rejected because of SA scoring that hit this
> > test *and* have a score between "reject" and "reject +
> > score_for_missing_pointer"?  I run this analysis for every expensive
> > test, and so far none filter more than 1% of bad e-mail that would not
> > otherwise have already been filtered.
> 
> For me, I get AT LEAST 5000 spams a day.  1% of 5000 is not "expensive" as 
> it saves 50 junk emails from my inbox.

If you get 5000 e-mails a day addressed to you that score as spam, then 
you have problems such that cutting 50 out just isn't going to help.

> I do not recommend using SA scores to block email.  SPAM is in the eye of 
> the beholder and 10 is too low IMO.

Without lots of extra rules or changes in scoring, it takes a *lot* of 
"spammy" indicators to get to a score of 10 in SA.  And, it really 
takes some crap to get to 15.  At that threshold, I'd only see a 1% 
increase in delivered spam, yet I can damn near guarantee that 
everything 15+ is utter crap.

> > But, for expensive tests (and reverse DNS is very expensive in this
> > case, since you tend to have to do uncached lookups for every new
> > zombie machine), unless they are *very* accurate (i.e., no false
> > postive/negative) and *very* indicative (i.e., can be assigned a high
> > SA score or used to reject outright), they tend to be something that
> > just won't scale well to large volumes of e-mail.
> 
> We'll agree to disagree and I'll continue as-is.  I believe these
> tests such as pathway analysis, reverse DNS, URI lists, etc. may
> soon be the only truly effective anti-SPAM techniques available.

We keep hearing about how none of the "failure to follow SMTP rules" 
blocking techniques are going to be useless soon...I've heard that for 
5 years now, and greylisting, strict HELO syntax checking, greet_pause, 
and connection rate/count limiting still seem to manage to stop all but 
a tiny percentage of spam.

> However, you should consider joining the SA project if you are this
> adamant about it because it might be more helpful than attacking
> just me. 

I'm not attacking you...I'm asking you to step back and take a look at 
ways that might result in you having to only score 500 messages instead 
of 5000, and end up with only 2-3 delivered to you instead of 20-30.


--
Jeff Rife |  
          | http://www.nabs.net/Cartoons/Dilbert/SalesToFriends.gif

More information about the MIMEDefang mailing list