Patches for DCC.pm for Commercial Reputation scores

[Michael Scheidell <sc...@secnap.net>]

I am looking for people who want to try patches for the DCC plugin that 
can look at and score emails from the commercial version of DCC.
The one that implements the commercial 'reputation' values.

(If you don't know what I mean, you don't have it)

Currently, the DCC.pm filter will return a true or false, depending on 
if the 'fuzzy checksums' of the email you just received are already 
listed in the dcc database.
The commercial version also implements a reputation score of the sending 
ip address.
It keeps a percentage of 'spam vs ham' based on all of the dcc agents 
that check the database.

These patches can be used two ways:
Patch #1 will also allow you to set a percentage 'score' to also trigger 
the check_dcc() (or DCC_CHECK) rule.
For example, if you set it to 90 (90%) that means that you want to score 
the DCC_CHECK score on every email from any server that 90% of the 
emails are 'bulk' according to the DCC server.
(you set dcc_rep_score 90 in local.cf)

Patch #2 allows you to selectively score emails based on the reputation 
RANGES, similar to razor ranges or Bayesian ranges.
something in local.cf like:
full DCC_CHECK70 check_dcc_rep('70','')
score DCC_CHECK70 7.0
describe DCC_CHECK70 The email send from the IP address of the first 
untrusted ip address is 70% bulk email.

full DCC_CHECK0 check_dcc_rep('','1')
score DCC_CHECK0 -1.0
describe DCC_CHECK0  No spam has been seen from this ip address in the 
last few days.

Why this? why not RBL's? Ok, you can use them (I do), but  checking a 
commercial DCC server using dccifd is a lot faster than checking rbl's.

(see: http://www.dcc-servers.net/dcc/reputations.html  there are 
currently over 1 million ip addresses in the database)

I am the official ports maintainer of the FreeBSD SpamAssassin port, and 
I might put this patch in as an optional 'knob' for the next update.

Note: these patches should be 100% upward compatible.  ie, you don't put 
a dcc_rep_score in local.cf or don't enable new rules that implement the 
check_dcc_rep() function, it should not change your scores at all.  Also 
note, that it does absolutely nothing for you if you don't have and are 
not paying for the commercial DCC product.

I will send these patches to anyone who emails me from a valid corporate 
account (I will NOT send them to freebie  and 'home' isp accounts like 
hotmail,gmail,yahoo, rr,bellsouth, etc)
If you can use this patch, you are running your own mail servers and 
either run your own DCC server, or you contract with someone to access a 
commercial dcc server.

I won't add you to our email list (since I am assuming that most people 
using the commercial DCC service are in business selling or supporting 
anti-spam systems)
Eventually, after testing and feedback, I will send these patches to 
Apache/SpamAssassin group.

-- 
Michael Scheidell, CTO
SECNAP Network Security





_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________