Mark Martinec writes: > > > > 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: > > > > sender on bogons IP block [102.176.29.76 listed in > > > > combined-HIB.dnsiplists.completewhois.com] > > > I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ? > > > (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED... > > > > almost non-existent hits. rules/STATISTICS-set3.txt : > > 0.000 0.0007 0.0000 1.000 0.51 0.00 RCVD_IN_WHOIS_BOGONS > > that's like 6 out of nearly a million spams. > > It seems like a waste to actually send out a query against a > combined-HIB.dnsiplists.completewhois.com, but then ignore > its result (apparently the score did help with the OP spam). > > The HIJACKED, BOGONS, and INVALID share the same RBL and > only one query is send out if any of these three rules is > nonzero. Setting RCVD_IN_WHOIS_BOGONS to 0 saves no resources.
well, it saves a little -- even running the rule has a tiny overhead. But not much, granted. The more serious issue is that the GA/perceptron cannot give a rule a reasonable score unless a useful number of hits are listed in the mass-check run, to base the score estimation on. In the case of RCVD_IN_WHOIS_BOGONS, there's just not enough data to guess what it's score should be. --j.