On 11/09/16 22:10, Alex wrote: >> COMMIT/trunk/rules/50_scores.cf >> >> Committed revision 1760066. >> >> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 >> >> should show up after next SA update > > Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's > hitting a lot more ham than spam here, including mail from facebook.
Over the last four months I've seen a fair number of false positives from RCVD_IN_SORBS_WEB, including Facebook, Google, HaveIBeenPwned and various legit servers. A Facebook example: 145.144.220.66.dnsbl.sorbs.net. 3600 IN TXT "Exploitable Server See: http://www.sorbs.net/lookup.shtml?66.220.144.145" The rule scored 3.253 in November, which has fallen to 2.034 now. This still seems high for a RBL, particularly one that does deep-parsing, i.e. isn't -lastexternal, and hits end users (not servers) listed in the x-originating-ip header. To be fair, it is hitting some malware and carder spam too, but not much that would otherwise be missed. The list is described as: web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities. I've reduced the score on my installation to 0.5. Would this kind of thing be prevented by more people contributing to the mass checks? Or could it be adjusted downwards as Alex suggested? CK