On Sun, 2010-02-28 at 23:37 +0000, João Gouveia wrote: > Please note that the scores are just an example. I'm not really sure > what would be appropriate for the general user.
Re-scoring would tell us. > ----- "Karsten Bräckelmann" <[email protected]> wrote: > > On Sun, 2010-02-28 at 01:40 +0000, João Gouveia wrote: > > > http://mailspike.org/anubis/implementation_sa.html > > > > I guess the rule definitions are slightly broken. After all, the ZBI > > meta especially is meant to counter multiple hits. However, since the > > plain Z eval() rule does not have a score assigned, it still *does* get > > a default score of 1.0. > > Nice catch. It should be __RCVD_IN_MSPIKE_Z instead. I'll fix that right away. You missed the tflags RCVD_IN_MSPIKE_Z setting in that change. Anyway, now the logic is much more straight forward. We got L[345] bad reputation. And then there is ZBI, which translates to a current spam wave from a sender listed with *no* previous (long term) reputation, or better than L3. Given the current example scores, this means a short term ZBI listing equals a long-term very bad reputation -- regardless of the long term reputation otherwise. No, wait. It does *not* raise the score for L[34] listed IPs... > As for the bad/neutral senders, I see your point. What logic would you > suggest instead? The basic premises are: Well, it depends on what these listings actually mean. And statistics, which is what ruleqa tells you. However, given the above thoughts, here is a quick attempt at the logic. Note that it is late here, I am tired, and didn't really think through the changed situation. Use a pound of salt. meta L5 __L5 && !Z meta L4 __L4 && !Z meta L3 __L3 && !Z See what I am heading at? A current outbreak, Z, overrules any long term reputation. It is bad. Now. Whatever it is and will be long term. Fall back to the (lower scored?) L[345] only, if there is no evidence of a current outbreak. A quick shot at it. I might change my mind after some sleep and a coffee. Or three. > > What listing and scoring logic did you actually mean? Feel free to give > > a verbal rather than logic expression. :) > > If you didn't understand the logic, than I'd say that it's probably wrong :-) > The goal was simply not to penalize too much bad senders that are > listed both in L3-5 and Z. Right. The above is a quick shot at using Z -- or, in the absence of a Z listing, use L[345] long term reputation. In other words, being bad right now does not necessarily have a severe impact on the long term reputation. But it is bad. Now. guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
