I just turned off my AWL today, because of FP issues.... but....
f...@example.com sends me lots of mail. Say it's over 100. It's all ham and it all comes from mail.example.com. The AWL for this email couplet is , say -2.1. An email comes in from f...@example.com but sent from spam.spammer.tld and score 7.0. It gets an additional, say, .42 (20% of the AWL) to score 7.42 instead. Now, another mail from f...@example.com comes in from mail.spam2.tld, this one scores 4.3. It gets a +.42 for missing the match on mail.example com, and gets a +.288 for missing the match on spam.spammer.tld
This sounds like an attempt to mimic the effects of SPF records by noting which servers send "most" of the mail for a given address. Sadly, this logic breaks down when the spammers 'get there first' and/or send a greater volume of mail than the genuine sender. Admittedly the latter situation is a low probability for any single sender, but in the big picture, *someone* is getting their AWL reputation trashed every time a spammer forges their e-mail.
Just this Monday I had a phishing attack againstmy clients, with *dozens* of e-mails, all purporting to come from ME that came from the *same* server! In this case, as I only send a half dozen messages per month from that account, the spammer would get the favored rating?
No, I think I will return to my earlier request/question and suggest that perhaps whitelisting should do just that: It should only be allowed to *reduce* a score for a sender/server that suddenly sends a 'spammy' message. It should not be allowed to *raise* scores. Thus, FP's will at worst cancel out an existing negative adjustment.
Given that historically this is a very different behaviour, I would ask/suggest that this be added as an 'option' that could be enabled
by people experiencing false positives because of the AWL.... AWL_reduce_scores_only 1 - Charles
