Matt Kettler writes: > Cliff Stanford wrote: > > Some questions: > > > > 1. RCVD_IN_XBL > > > > Why is this only applied by default to -lastexternal rather than all the > > Received: lines? Surely if any forwarding host is a known exploit, it > > should score the same 3.897 ? > The problem here is that XBL will generally consist of home-user IPs. > Those IPs are of hosts known to have been infected with backdoors that > cause spam relaying. > > XBL is highly effective if you use it to pick of hosts directly sending > mail to your network, with near zero false positives. Generally home > users use their relays, and spam tools direct deliver. > > However, if you apply it to the originating IP, you'll also pick off all > the legitamate mail sent by infected users (or uninfected users who got > reallocated the same IP!) the false positive rate goes up as a result, > and the score of this test would fall as a result.
Yep. > > 2. RCVD_IN_PBL > > > > This is (IMHO) correctly applied to -lastexternal. Why is the default > > score only 0.001 ? > I suspect It's not been around long enough to have been subjected to a > mass-check to determine its accuracy. It is also not clear to what > degree it will overlap with the NJABL and SORBS DUL lists, which would > also show up in mass-check. With no detailed information on the accuracy > of the list, or how it interacts with other existing lists, they > probably assigned it this score to start. Yes -- in SpamAssassin 3.2.0, it's picking up a more useful score: 0.509 in set 1 and 0.905 in set 3. (Not a huge score, but that's where the GA set it... its optimal score, given FPs and other rules it overlaps with.) > > 3. -lastexternal > > > > The docs for this flag say, "You can select only the external host that > > connected to your internal network." Does this mean that > > "trusted_networks" is ignored for this flag and I would need to put the > > secondary MXs' IP addresses into "internal_networks" instead. > Yes, although be aware that unless you explicitly specify a > internal_networks, the value is copied from trusted_networks. > > Most people only need to set trusted_networks, and let internal_networks > copy it. Only a few sites (for example those that need to accept mail > from dialup users) need to make these two lists differ. > > > > 4. Lists > > > > Is this the right place or should I have posted this to the dev list > > instead? > This is the right place for questions about SA. Even though this touches > a bit on the subject of development, it's really only questions about > the hows and whys of SA's rules. As such, I'd say this is the right list. > > Personally, I kind of view the dev list as more of a place to make > specific suggestions. This list is a better place to ask questions, > unless you're really getting into questions that arise from attempts to > implement a new feature in SA. (ie: if you were writing a new bayes > store for some new kind of database, and had questions about how bayes > stores are used.. that would probably be good to post to dev) > > However, be aware that I'm merely a "helpful community member" and my > opinions on the list uses are purely non-official. But almost always right ;) --j.
