From: Charles Gregory <cgreg...@hwcn.org> Date: Wed, 29 Apr 2009 14:31:22 -0400 (EDT) I just turned off my AWL today, because of FP issues.... but.... > f...@example.com sends me lots of mail. Say it's over 100. It's all ham and > it all comes from mail.example.com. The AWL for this email couplet is , say > -2.1. An email comes in from f...@example.com but sent from spam.spammer.tld > and score 7.0. It gets an additional, say, .42 (20% of the AWL) to score > 7.42 instead. Now, another mail from f...@example.com comes in from > mail.spam2.tld, this one scores 4.3. It gets a +.42 for missing the match on > mail.example com, and gets a +.288 for missing the match on spam.spammer.tld This sounds like an attempt to mimic the effects of SPF records by noting which servers send "most" of the mail for a given address. Sadly, this logic breaks down when the spammers 'get there first' and/or send a greater volume of mail than the genuine sender. Admittedly the latter situation is a low probability for any single sender, but in the big picture, *someone* is getting their AWL reputation trashed every time a spammer forges their e-mail.
AWL stores the IP/16 address with the email address. So your awl reputation is not being trashed by forged e-mail that comes from a different IP address. Just this Monday I had a phishing attack againstmy clients, with *dozens* of e-mails, all purporting to come from ME that came from the *same* server! In this case, as I only send a half dozen messages per month from that account, the spammer would get the favored rating? Only if the spammer uses the same server that you do. -jeff
