John Hardin <jhar...@impsec.org> writes: > On Fri, 19 Jun 2020, micah anderson wrote: > >> So, what can I do to tweak these rules to score things up more, >> specifically the rules that provide a low false positive rate[1]. This >> seems something that should be done programmatically, and not >> manually. It seems like what 'masscheck' maybe does generically for all >> rules for all installations, but can I use that to just adjust our rules >> for our particular breed of spam that comes through? > > How about: analyze your spamtrap for recent source IP addresses on a > quick schedule (hourly?) and drive a local DNSBL from IPs seen more than > 2-3 times in the last 24-48 hours?
Interesting possibility... but if I look at the current batch that made it through, I see: 1. amazon aws 2. gmail (amusingly saying my amazon prime membership is going to expire) 3. mailchimp 4. yahoo.com all of those would not be good to block :( Its not always like that, but it does happen. -- micah