RW wrote:
I think it might be worth having 2 XBL tests, a high scoring test on
last-external and a lower-scoring test that goes back through the
untrusted headers.
I understand that Spamhaus doesn't recommend this, because dynamic IP
addresses can be reassigned from a spambot to another user, but I added
my own rule it does seem to work. In my mail it hits about 9% of my
spam, with zero false-positives. I suspect that part of this is down to
UK dynamic addresses being very sticky, but I ran my mailing lists
through SA for a few weeks and got 3 FPs out of ~2400.
I do a very similar thing and see very similar results to yours.
I use zen.spamhaus to block at the smtp level and then run all headers
through sbl-xbl for a further few points. As already mentioned elsewhere
in this thread, it will occasionally fire against ham but I've only
noticed that from senders to mailing lists who originate from extremely
spammy ISPs (ie, they hit plenty of other DNSBLs too).
Where I find it particularly useful is for mail accounts forwarding from
ISP email addresses where checking of the last external IP would be
inappropriate.
I think it's probably worth a point or so, and essentially it's free
- all of the zen lookups get done for SBL.
