OK, working on my first cup of coffee this morning, so maybe this has
potential.
The way the AWL works is by keeping track of the origin of emails,
both the address and the server (the top line Received header?) that
send the email. So, lets say that I have a lot of email from f...@example.com
and that foo's email is sent to me via mail.example.com.
Now, I get an email claiming to be from f...@example.com but sent to me
from suspiciousserver.tld, so the AWL is not applied.
But if I've gotten 50 emails from f...@example.com and all came through
mail.example.com it seems that it would be beneficial to have a 'anti'
AWL score score applied to this particular email, since it claims to
be from one place, but doesn't match the AWL entry. This, naturally
would start of a new AWL entry, but with a slightly higher score than
otherwise.
This would even be useful if the original AWL entry is spammish since
multiple servers might be a sign of a botnet or host hopping, so
applying a little spammish nudge to these messages is probably going
to help out a lot, especially if spam...@fakedoamin.tld is sending
mails from, say, 10 different server then all those AWL mismatches are
going to feed each other into moving that AWL up very very fast.
--
The Germans wore gray, you wore blue.
