I noticed that 2.5% of wt-en1's spam was hitting DNSWL_HI. I asked him about it, and it turned out that it was all cases where he had set up forwarding from another server and not added it to trusted_networks (he then deleted them). I suspect this is true of others:
RCVD_IN_DNSWL_HI: SPAM% 2.0785 bb-jhardin 0.3802 kgolding 0.1582 bernie-mix 0.1186 grenier 0.0065 <- average RCVD_IN_DNSWL_MED: SPAM% 20.2532 bernie-mix 2.0408 darxus 1.5012 bb-jhardin 1.0186 jarif 0.4615 wt-en1 0.3802 kgolding 0.3363 bb-guenther_fraud 0.3109 bb-jhardin_fraud 0.2372 grenier 0.0550 <- average Interesting that I showed up second on this list. I found a bunch of stuff I'm not happy with. One of them was an interesting spam that showed up on a private mailing list, apparently the result of a trojan or something, so I thought it would be good to feed it to razor, spamcop, DCC, etc. But it didn't occur to me that I'd also be reporting the mailing list server, because I don't have it listed as a trusted relay, because I generally don't report spam from mailing lists. A bunch of them were from old spams I got from the [email protected] mailing list. I ended up just removing my old spam from mass checks, based on the log-grep-recent recommendations on http://wiki.apache.org/spamassassin/RescoreMassCheck - 6 months for spam, 38 months for ham. (Surely that 38 was meant to be 36?) I'd like to get that age filtration into auto-mass-check. I'm really curious how other people think spam from mailing lists should be handled. Should mailing list servers all be listed as trusted_networks? Or should spam from a mailing list be counted against the list server in DNSWL? Of the 108 spams since October 19th that I'm now running through mass-check, the DNSWL hits are: 0 high, 2 medium, 1 low, 25 none. Which I think is reasonable, given that I reject anything SA thinks is spam, so this is only the false negatives. -- "I would believe only in a God that knows how to Dance." - Nietzsche http://www.ChaosReigns.com
