SELECT ip, count(ip) AS rows FROM awl GROUP BY ip ORDER BY rows DESC LIMIT 10
After doing a little more research I found that the scores (totscore/count) of those rows were often very high. A lot in the range 10-30 points. The number of rows containg my network was about 4% of the total number of rows in the table
This really did worry so I decided to put on some debugging.
This is what I found..
May 8 00:26:44 mailscan3 spamd[3013]: debug: received-header: relay 212.71.66.104 trusted? yes internal? yes
[... and then a little later ...]
May 8 00:26:46 mailscan3 spamd[3013]: debug: SQL Based AWL: Connected to DBI:mysql:spamassassin:localhost
May 8 00:26:46 mailscan3 spamd[3013]: debug: auto-whitelist (sql-based) get_addr_entry: No entry found for [EMAIL PROTECTED]|ip=212.71
May 8 00:26:46 mailscan3 spamd[3013]: debug: auto-whitelist (sql-based): [EMAIL PROTECTED]|ip=212.71 scores 0/0
May 8 00:26:46 mailscan3 spamd[3013]: debug: auto-whitelist (sql-based) get_addr_entry: No entry found for [EMAIL PROTECTED]|ip=none
May 8 00:26:46 mailscan3 spamd[3013]: debug: auto-whitelist (sql-based): [EMAIL PROTECTED]|ip=none scores 0/0
May 8 00:26:46 mailscan3 spamd[3013]: debug: AWL active, pre-score: 23.178, autolearn score: 23.178, mean: undef, IP: 212.71.66.104
May 8 00:26:46 mailscan3 spamd[3013]: debug: auto-whitelist (sql-based) add_score: Created new entry for [EMAIL PROTECTED]|ip=212.71 with totscore: 23.178
I found several similar cases in my debug-logs: # zcat mail-20050509.gz | grep -c 'AWL active.*undef, IP: 212.71.66.104' 255 # zcat mail-20050508.gz | grep -c 'AWL active.*undef, IP: 212.71' 203 # zcat mail-20050509.gz | grep -c 'AWL active.*undef, IP:' 13487
How can that happen? Anybody else here with the same experience?
Arvinn