Justin suggested separating these out into separate rules. I'm not sure it's really worth it based on the low S/O ratio of the hits. Using the connecting IP seems to work much better.
The S/O left is the S/O ratio of the hits lost by moving to -firsttrusted. I already switched RCVD_IN_XBL, RCVD_IN_DSBL, and RCVD_IN_RFC_IPWHOIS to use the -firsttrusted logic based on their RANK improvement. Note that we did lose a fair number of spam hits, but I'm not sure it's much of a loss given the HAM% drop that went along. Also remember that we'd be doing significantly more DNS queries to get these few hits. sorted by RANK improvement: RULE SPAM% drop S/O left RANK improvement RCVD_IN_RFCI -2.619900 0.678695 0.300000 // switched already RCVD_IN_XBL -0.896100 0.697734 0.230000 // switched already RCVD_IN_DSBL -2.187200 0.835511 0.230000 // switched already RCVD_IN_NJABL_PROXY -0.966300 0.830583 0.160000 RCVD_IN_SORBS_MISC -0.717400 0.779274 0.150000 RCVD_IN_BL_SPAMCOP_NET -0.343200 0.685167 0.130000 RCVD_IN_SORBS_DUL -0.524400 0.775625 0.110000 RCVD_IN_SORBS_HTTP -0.679700 0.875113 0.090000 RCVD_IN_SBL -0.438300 0.900370 0.030000 // maybe keep as-is? RCVD_IN_SORBS_SOCKS -0.042300 0.735652 0.010000 RCVD_IN_SORBS_SMTP -0.191400 0.926428 0.010000 RCVD_IN_RSL -0.243800 0.975590 0.010000 // maybe keep as-is? RCVD_IN_NJABL_RELAY -0.006600 0.420382 0.010000 RCVD_IN_SORBS_WEB -0.029600 0.829132 0.000000 RCVD_IN_NJABL_SPAM -0.219400 0.935209 0.000000 RCVD_IN_SORBS_ZOMBIE -0.200100 0.942978 -0.080000 __RCVD_IN_SORBS -3.328100 0.178927 0.390000 __RCVD_IN_NJABL -1.712600 0.436509 0.370000 __RCVD_IN_SBL_XBL -1.220800 0.736531 0.200000 sorted by S/O left: RULE SPAM% drop S/O left RANK improvement RCVD_IN_RSL -0.243800 0.975590 0.010000 RCVD_IN_SORBS_ZOMBIE -0.200100 0.942978 -0.080000 RCVD_IN_NJABL_SPAM -0.219400 0.935209 0.000000 RCVD_IN_SORBS_SMTP -0.191400 0.926428 0.010000 RCVD_IN_SBL -0.438300 0.900370 0.030000 RCVD_IN_SORBS_HTTP -0.679700 0.875113 0.090000 RCVD_IN_DSBL -2.187200 0.835511 0.230000 RCVD_IN_NJABL_PROXY -0.966300 0.830583 0.160000 RCVD_IN_SORBS_WEB -0.029600 0.829132 0.000000 RCVD_IN_SORBS_MISC -0.717400 0.779274 0.150000 RCVD_IN_SORBS_DUL -0.524400 0.775625 0.110000 RCVD_IN_SORBS_SOCKS -0.042300 0.735652 0.010000 RCVD_IN_XBL -0.896100 0.697734 0.230000 RCVD_IN_BL_SPAMCOP_NET -0.343200 0.685167 0.130000 RCVD_IN_RFCI -2.619900 0.678695 0.300000 RCVD_IN_NJABL_RELAY -0.006600 0.420382 0.010000 __RCVD_IN_SBL_XBL -1.220800 0.736531 0.200000 __RCVD_IN_NJABL -1.712600 0.436509 0.370000 __RCVD_IN_SORBS -3.328100 0.178927 0.390000 (I'm not showing RCVD_IN_NJABL_DIALUP because the data is old due to changing over to the new dynablock zone at NJABL.) -- Daniel Quinlan http://www.pathname.com/~quinlan/
