On Mon, 30 Jul 2018 11:58:48 +0200 Matus UHLAR - fantomas wrote: > On 28.07.18 18:13, RW wrote: > >Most -lastexternal lists are mixed dynamic/static. Deep checks should > >be, and mostly are, list for exploitable servers or IP addresses > >under the control of spammers (or very spam friendly ISPs). > > > >RCVD_IN_BL_SPAMCOP_NET seems to be an anomaly. > > spamcop does list IPs that send spam. It does not care whether static > or dynamic, mailserver or open proxy.
It doesn't care because it's intended to be used as an MTA blocklist where it wont see any legitimate mail direct from dynamic addresses. Spamcop looks deep to avoid listing intermediate service providers, and so the most relevant organization can be alerted to the abuse. > If you want to be 100% sure, you can split RCVD_IN_BL_SPAMCOP_NET > into two rules, one for -lastexternal and one for deep header tests. > > But I don't think it's worth trying. spamcop delists IP 24 hours > after last spam from it is received. In some dynamic address pools a single address might be used by hundreds of legitimate mail clients in that time. For example my mobile service provider supports ~10 million users on 3072 IPv4 addresses. And a single infected device may use many pool addresses before it's dealt with. I don't actually have a problem with this myself, but I know that my ham is very insensitive to FPs of this kind. It could be that Spamcop is tuned so that dynamic addresses are unlikely to be listed unless they are relatively sticky.
