http://bugzilla.spamassassin.org/show_bug.cgi?id=1375
------- Additional Comments From [EMAIL PROTECTED] 2004-01-24 13:52 ------- I've implemented the previous patch, though only checking against "actual" RBLs. Ruling out entire countries and ISPs is a wee bit dicey for a corporate environment. Out of 417 spams (past 2+ days) HOSTED_SBL 319 (76%) HOSTED_SPEWS_L1 291 (70%) HOSTED_SPEWS_L2 295 (71%) HOSTED_HABEAS_VIOLATOR 0 ( 0%) Now we define VBAD as "SBL || SPEWS_L1 || HABEAS_VIOLATOR" And MBAD as "SPEWS_L2 && !VBAD" HOSTED_VBAD 325 (78%) HOSTED_MBAD 4 ( 1%) Let's see how RCVD_ rules match: RCVD_IN_SBL 166 (40%) RCVD_IN_SPEWS_L1 166 (40%) RCVD_IN_SPEWS_L2 169 (41%) HABEAS_VIOLATOR 2 ( 0%) And now to find out how this matches up with RCVD_ checks. HOSTED_SBL && !RCVD_IN_SBL 160 (38%) HOSTED_SPEWS_L1 && !RCVD_IN_SPEWS_L1 137 (33%) So, we can more or less conclude that people that spam from SBLed MTAs also host their sites on SBLed web servers. But the hit rate of checking URIs is twice that of sender checks. There is however a bit of a problem with the scoring, imo. SPEWS L1 and SBL lists much of the same: HOSTED_SBL && HOSTED_SPEWS_L1 285 out of a possible 291 So, I'm using the following scoring to avoid too many RBL-only false positives: score HOSTED_SBL 0.5 score HOSTED_SPEWS_L1 0.5 score HOSTED_HABEAS_VIOLATOR 0.5 describe MY_HOSTED_VBAD Contains URIs hosted in SBL/SPEWSL1/HABEASVIO locations meta MY_HOSTED_VBAD HOSTED_SBL || HOSTED_SPEWS_L1 || HOSTED_HABEAS_VIOLATOR score MY_HOSTED_VBAD 2.0 score HOSTED_SPEWS_L2 0.01 describe MY_HOSTED_MBAD Contains URIs hosted in SPEWSL2 locations meta MY_HOSTED_MBAD ( HOSTED_SPEWS_L2 ) && !MY_HOSTED_VBAD score MY_HOSTED_MBAD 1.0 Of course, there's a similar problem with FPs in sender lookups and URI IP lookups (quite likely), but that's for another bug. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
