René Berber wrote:
John Rudd wrote:
Botnet's score of 5 is meant to say "this message should be quarantined
or flagged for review". It's not saying "this message is _definitely_
spam".[snip]
The trouble is redundancy in scores, the BOTNET score is usually just the start
of a HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR plus RDNS_DYNAMIC or
RDNS_NONE and RCVD_IN_PBL,RCVD_IN_SORB ... long list.
So, unless one disables the redundant scores, the other option is to lower the
BOTNET score. The first procedure is better but needs more work (which ones are
the redundant rules?), the second procedure is easy and that's why most of us
use it.
There's a couple things that come to mind here:
1) I have no problem with people lowering BOTNET's score. Different
people have different concepts of what a "score of 5+" means (definitely
spam, quarantine as suspicious, etc.). Set it at whatever score works
for you.
2) I think if you're getting hits on LOTS of overlapping rule concepts,
then the problem isn't with the individual rule's score. It's something
else (it's really spam? the sender site is mismanaged in one way or
another? etc.).
3) overlapping rule concepts isn't a bad thing. They each use a
different technique, and some will catch ones that that the others
don't. For example, I expect that PBL catches a TON of stuff that
Botnet also catches. But there will be some that PBL catches that
Botnet wont, and perhaps visa-versa. So, I wouldn't eliminate either one.
