> > This may not be representative but I found that the rest of of the FPs > could have been avoided with > > && (FREEMAIL_FROM || !DKIM_VALID_AU) > > the spam rarely hits DKIM_VALID_AU unless it's freemail.
Actually a decent portion of spam is sent with DKIM_VALID_AU, either from spammer owned domains or from hacked servers. But you might not see them in SA if they are blocked at MTA level with blacklists. > > One thing to watch out for is mismatches between unicode and punycode > versions of the same address. The above rule only targets ascii > domains in the display field for that reason. >