On Tue, 6 Feb 2018 11:38:42 -0500 Alex wrote:
> On Tue, Feb 6, 2018 at 8:44 AM, David Jones <djo...@ena.com> wrote: ustomer's compromised accounts. > > > > Leave out the RCVD_IN_BRBL rule above and change the > > RCVD_IN_BRBL_LASTEXT score to 1.4 to keep things the same. > > If you think the RCVD_IN_BRBL rule is a good one, I'd like to use it, > and while I've implemented much of your approach, I can't implement > all of it. I've been doing deep XBL checks for years (they come free with the zen look-ups). Initially I found that they did have a low FP rate, but that's changed as more of my mail comes through mobile (cellular) networks that use NAT to support millions of users on thousands of IPv4 addresses. I'm seeing about 10% of ham submitted from these networks hitting my deep XBL rule. > Can I also ask again about reasonable RCVD_IN_LASHBACK and > RCVD_IN_LASHBACK_LASTEXT scores? If you're going to create deep versions of more than one list it doesn't make sense to score them individually. The dominant cause of FPs on such rules is dynamic IP address reuse, being in more than one list doesn't say anything about that. Allowing a large score to build-up from multiple deep rules is reckless.
