10 Sep 2010 
Support Center » Knowledgebase » MPP Spam Scores
 MPP Spam Scores
Solution

MPP Spam Scores

Introduction

“Spam Scoring" feature allows to define decision-making logic when multiple tests for spam are in executed. Administrator assigns score value for each test. Tests are executed and for each test that returns true total score is incremented by corresponding value assigned for the test. Administrator defines threshold values for total score for MPP to decide whether a message is spam.   MPP currently can aggregate the results of RBL's, SPF, Content expressions, SURBL or other URI checking sites and spam scanners.  MPP custom spam scoring accepts both positive and negative scores for things like contextual white or black listing.

Some common uses for this feature include content based white lists, content based black lists, markheader action for RBL violations or to avoid making a spam decision on the results on a single test.

 

Use-case View

This section contains brief description of the features from usage point of view

Enable Spam Scoring

To enable Spam Scoring MPP_SPAM_SCORE_ENABLE should be used. If Spam Scoring is not enabled then old “first match�? scheme for making a decision is used.

Assign Score for RBL site

For each RBL site defined with RBL_SITES option Administrator specifies score to be added to total score value when corresponding site reports client host IP as suspicious. This is done with MPP_SPAM_SCORE_RBL options.

Assign Score for Spam Scanner

For each spam scanner and spam level detected by this scanner Administrator specifies score to be added to total score when corresponding condition occur. This is done with MPP_SPAM_SCORE_SCANNER options.

Define Thresholds for Total Score

Total score is mapped to resulting (final) spam level. Administrator specifies mapping with MPP_SPAM_SCORE_TOTAL_THRESHOLD options. Resulting spam level is used by MPP to make spam decision.

Optimization for Highest Threshold

Total score can only grow. If it reaches highest threshold defined with one of MPP_SPAM_SCORE_TOTAL_THRESHOLD options message is considered to be spam and further processing can be optimized off depending on optimization options (OPTIMIZE_SPAMSCAN_UNTIL_SPAM, ... ).

Structural View

MPP_SPAM_SCORE_ENABLE - XML option that specifies whether to enable Spam Scoring. Otherwise old “first match�? scheme will be used. The option is inheritable.

Value: yes | no
Default: no

MPP_SPAM_SCORE_RBL - XML option that specifies spam score for each RBL site. Site is specified with “site�? attribute which is DNS of the site. Site should be from the list defined with RBL_SITES option. The option is inheritable.

Attributes: site=�?DNS of site�?
Value: integer
Default: 1
Example:
<mpp_spam_score_rbl site=�?example.com�?>5</mpp_spam_score_rbl>

MPP_SPAM_SCORE_SCANNER - XML option that specifies spam score for each spam scan engine and level of spam detected with this engine. Engine is specified with “engine�? attribute, level – with “level�? attribute. The option is inheritable.

Attributes: engine=�?spamassassin | cloudmark | commtouch | mailshell | cybersoft�?  level=�?low | medium | high�?
Value: integer
Default: 1 for low, 2 for medium, 3 for high
Example:
	<mpp_spam_score_scanner engine=�?mailshell�? level=�?low�?>7</mpp_spam_score_scanner>

MPP_SPAM_SCORE_TOTAL_THRESHOLD - XML option that specifies mapping between total score and resulting spam level. Spam level is specified with “level�? attribute. The option is inheritable.

Attributes: level=�?low | medium | high�?
Value: integer
Default: if no option at all: 1 – low, 2 – medium, 3 – high
Example:
	<mpp_spam_score_total_threshold level=�?low�?>10</mpp_spam_score_total_threshold_level>

Example

MPP version 3.4 is minimum requirement for "Spam Scores". Sample options defined in mppd.conf.xml.

<group id="default">
...
      <spam_action type="low">marksubject</spam_action>
      <spam_action type="medium">quarantine</spam_action>
      <spam_action type="high">discard</spam_action>
...
      <mpp_spam_score_enable>yes</mpp_spam_score_enable>
      <mpp_spam_score_scanner engine="mailshell" level="high">5</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="cloudmark" level="high">5</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="commtouch" level="high">5</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="spamassassin" level="high">5</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="mailshell" level="medium">3</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="cloudmark" level="medium">3</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="commtouch" level="medium">3</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="spamassassin" level="medium">3</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="mailshell" level="low">1</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="cloudmark" level="low">1</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="commtouch" level="low">1</mpp_spam_score_scanner>
      <mpp_spam_score_scanner engine="spamassassin" level="low">1</mpp_spam_score_scanner>
      <mpp_spam_score_total_threshold level="high">10</mpp_spam_score_total_threshold>
      <mpp_spam_score_total_threshold level="medium">6</mpp_spam_score_total_threshold>
      <mpp_spam_score_total_threshold level="low">2</mpp_spam_score_total_threshold>
      <mpp_spam_score_rbl site="bl.spamcop.net">3</mpp_spam_score_rbl>
...
</group>


Article Details
Article ID: 11
Created On: 12 Jan 2008 12:33 AM

 This answer was helpful  This answer was not helpful

 User Comments Add a Comment
 Back
 Login [Lost Password] 
Email:
Password:
Remember Me:
 
 Search
 Article Options
 Add Comment
 Print Article
 PDF Version
 Email Article
 Add to Favorites
Home | Register | Submit a Ticket | Knowledgebase | Downloads
Language: