On 02/17/2014 09:44 PM, Kevin A. McGrail wrote:
On 2/17/2014 3:30 PM, Joe Sniderman wrote:
On 02/17/2014 02:35 PM, Greg Troxel wrote:
I have had a number of experiences complaining about spam from
whitelisted hosts, and (with the exception of hostkarma, which is not
in the default ruleset) found many of my experiences to be
unsatisfactory, to the point that they were escalated to publically
discussing the issue.
Regarding this problem generally, yeah its an issue, especially with one
whitelist in particular, that is NOT the ISIPP/IADB.
Specifics will help especially if this is a default rule with SA. Even
saying FNs from RCVD_IN_IADB isn't specific enough because there are 25
rules in play here. Which one hit?
If the score is minor, don't be surprised if I (or the project) don't
care because our goal is that when taken CUMULATIVELY, the email is
properly classified. Not every test is perfect.
Regarding ISIPP/IADB in particular, I'd be hard-pressed to call it a
whitelist. IMHO it would be more accurate to call it a combined
whitelist and blacklist... or a reputation list, or something.
I just call them DNSBLs but IADB is generally classified as a sender
reputation system. But I see your point on the nuance.
Now, with regards to the OP's spam sample, the IADB related tests that
fired were:
So, regarding ISIPP/IADB, I don't think the DNSxL operator is to blame
for any FNs, nor doing anything improper. Rather, I'd say maybe the
scoring defaults should be tweaked a little bit.
Your debate points make sense to me. These are the default scores. Feel
free to open a ticket and discuss what you think the scores should be:
score RCVD_IN_IADB_DK 0 -0.223 0 -0.095 # n=0 n=1 n=2
score RCVD_IN_IADB_DOPTIN_GT50 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_DOPTIN_LT50 0 -0.001 0 -0.001 # n=0 n=1 n=2
score RCVD_IN_IADB_EDDB 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_EPIA 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_GOODMAIL 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_LISTED 0 -0.380 0 -0.001 # n=0 n=2
score RCVD_IN_IADB_LOOSE 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPEAR 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPR_30 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPR_MAT 0 -0.332 0 -0.000 # n=0 n=1 n=2
score RCVD_IN_IADB_NOCONTROL 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OOO 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OPTIN 0 -2.057 0 -1.470 # n=0 n=1 n=2
score RCVD_IN_IADB_OPTIN_GT50 0 -1.208 0 -0.007 # n=0 n=2
score RCVD_IN_IADB_OPTIN_LT50 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OPTOUTONLY 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_RDNS 0 -0.167 0 -0.235 # n=0 n=1 n=2
score RCVD_IN_IADB_SENDERID 0 -0.001 0 -0.001 # n=0 n=2
score RCVD_IN_IADB_SPF 0 -0.001 0 -0.059 # n=0 n=2
score RCVD_IN_IADB_UNVERIFIED_1 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UNVERIFIED_2 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPEAR 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPR_30 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 # n=0 n=1 n=2
for those wanting to disable this without tweaking a ton of rules
in SA 3.4.x *ONLY* use in local.cf
dns_query_restriction deny isipp.com
