If we added the last untrusted relay IP to the lines in the mass-check logs, we could use the data to calculate the percentage of emails from each IP which is spam vs. ham, and then make SA rules to trigger on varying percentage ranges.
Is this something you're interested in, or would accept a patch for? In more detail: * Add last untrusted relay IP to mass-check logs (very dependent on everybody configuring trusted_networks correctly). * Filter out IPs that show up fewer times than some threshold in the mass-check data? * Calculate the percentage of email from each IP address which is ham. * Create rules based on those percentages, something like "this list of IPs had a spam rate in the range of 80%-90%". * Run those tests through the rescorer with everything else. * Publish them via sa-update. -- "I don't want to die... just yet... not while there's... women." - J. Matthew Root, 8/23/02 (http://www.jmrart.com/) http://www.ChaosReigns.com
