Hello, I'm getting a lot of FPs from FH_FAKE_RCVD_LINE_B RCVD line looks faked (B) since the default score for this rule is a whopping 4.000.
It's matching on this header: Received: from 68.103.178.110 by webmail.east.cox.net; Mon, 28 Jun 2010 18:02:23 -0400 This rule matches the ISP Cox Communication residential customers using their webmail service. For now I've made a rule negating FH_FAKE_RCVD_LINE_B RCVD for Cox, but will someone educate me as to what it is that makes this header look faked? For reference, here's the (probably wrapped) rule: Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i Thanks! -- Mike