On Sun, 9 May 2021, RW wrote:
PDS_FROM_2_EMAILS is similar to what the plugin does, but it contains
exclusions that, amongst other things, reduce matches on mail from
actual mail servers. It include "&& !__DKIM_EXISTS", so it's useless in
the case where <j...@example.com> is from an account or mail-system
abused to gain a DMARC pass.
That was done because only (or mostly) masscheck corpora ham was hitting
that combination.
overlap ham: 95% of __PDS_FROM_2_EMAILS hits also hit __DKIM_EXISTS; 1%
of __DKIM_EXISTS hits also hit __PDS_FROM_2_EMAILS (spam 6%)
Excluding DKIM_VALID_AU is a little better from the POV of not ignoring
spam, but it excludes less ham:
overlap ham: 72% of __PDS_FROM_2_EMAILS hits also hit DKIM_VALID_AU;
1% of DKIM_VALID_AU hits also hit __PDS_FROM_2_EMAILS (spam 2%)
...possibly because fewer sites sign the author?
If you want to build a meta rule regarding a from name mismatch, you
should be using the raw __PDS_FROM_2_EMAILS subrule, **not** the
FP-reduced scored rule PDS_FROM_2_EMAILS.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: the 76th anniversary of VE day
