John, > a) do any of them have a small enough value that they wouldn't counter > botnet's default score of 5? Meaning, if I "do nothing" with respect to > those other whitelist mechanisms, they'll still "do the right thing" and > let the botnet hosts through, right?
Not by default, although I set my SA-based whitelist scores at -4 (I only use a handful). > (for similar reasons I'm currently not going to look at making the > BOTNET meta rule's expression more complicated with references to DK and > DKIM; the DK scores in the base SA are scored at -100 and -7.5 ... that > seems useful enough to me; but I might look at putting in alternate meta > rule expressions that are commented out, if people really want me to; > that way people could just choose to comment and uncomment whatever > seems most appropriate for their situation) I 'whitelist' DK-verified yahoo and gmail mail at -2.5 (there is some spam coming from legitimate accounts there). It is also quite unlikely that verified yahoo or gmail mail would be coming from a botnet, so if BOTNET rules fired it would be almost certain false positive. Mark
