Need to know:  MBF suggests the removal of the DSN test from your Declude global.cfg

 

DSN                                       RHSBL   dsn.rfc-clueless.org                        127.0.0.2              3              0

 

Detailed Explanation:  Domains are listed in the dsn.rfc-clueless.org zone based on, delivery status notification for failed delivery attempts are sent from a null address ("<>") which must be supported according to STD10 and its subsequent forms. Failure to accept mail from the null address could cause undue burden for other postmasters, and is eligible for listing. Rejecting delivery status notifications is usually caused by a misconfiguration in the mail server itself rather than being domain-specific. For this reason, domains that share an MX record with another domain already listed will also be automatically listed. RFC 2505 (Anti-Spam Recommendations) reiterates the necessity of accepting mail to the null address.

 

MBF data shows that the majority of cases this test is triggering it is a false-positive, most likely because legitimate mail servers are not abiding by RFC 2505. This test only adds 3 points to the final score and considering it is incorrect more than 50% of the time MBF suggests that this test does not to add sufficient value to the overall weighting and should be removed from the global.cfg see data snippet below:

 

Need to know:  This test requires Message Sniffer. MBF suggests a minimum weight of 25 or more SNIFFER-TRUNCATE in your Declude global.cfg

 

SNIFFER-TRUNCATE        external               020         "[FULL PATH]\SNFClient.exe"     25           0

 

Detailed Explanation:  The statistics indicate with high certainty any messages triggered by this test are spam or malware. Emerging threats are often detected more quickly on Truncate than other lists, but Truncate isn't designed to catch everything. It has a short memory. It's also extremely good at avoiding false positives because Message Sniffer has an extremely low false positive rate and Truncate only skims a tiny fraction of that data.

 

MBF data shows that this test has an extremely high level of accuracy.  With > 99.3% accuracy this test can be set at 25+ in your Declude global.cfg see data snippet below:

 

SS - How many times did the test indicate spam and the final result agreed. Test says Spam and result was Spam. We call this an accurate spam indication.

SH - How many times did the test indicate spam and the final result disagreed. Test says Spam, but the result was Ham. We call this a false positive.

%OfSpam - Percent of Spam Accurately Tagged. As a percentage, how often did this spam test fire when the overall result was spam. This is a good measure of how much this test contributed to spam results.

 

Need to know:  Consider using DNSWL to help identify good email. The configuration is as follows in you Declude global.cfg file:

 

DNSWL       IP4R       list.dnswl.org         *             -5            0

 

Detailed Explanation:  dnswl.org maintains a database of IP addresses which are grouped into "DNSWL Records" providing lookups for email reputation to protect against false positives. Users doing more than 100’000 DNS queries on their free public nameserver infrastructure or reselling their data as part of a commercial service need to get a subscription to download their data and serve it locally.

 

MBF statistics indicate that DNSWL identifies the IP address as valid and is correct 80-90% of the time. With this level of accuracy would suggest giving emails that trigger this test a credit anywhere from -5 to -10.

 

HH - How many times did the test indicate ham and the final result agreed. Test says Ham and result was Ham. We call this an accurate ham indication.
HS - How many times did the test indicate ham and the final result disagreed. Test says Ham, but the result was Spam. We call this a false negative.
HA - Ham Test Accuracy. Any time a test provides a negative weight it is acting as a ham test. The accuracy of that test is calculated as a Bayesian estimate of the probability that when the test fires the message is actually ham.
HQ - Ham Test Quality. If a ham test ever fires when the overall result disagreed (HS) then there is a probability that this was a false positive. Again, not a certainty -- and watch out for the terminology. We're talking about a ham test here so in this case a false positive is when the test says it ham but it turns out to be spam. Most of us are used to thinking the other way around. Here again we take the Bayesian estimate of an accurate result (HA) and use the probability of a false positive to reduce that number. P(HA) * (1 - P(FP)).