Terry Carmen wrote: > Actually, I was looking at it from the other (ham) direction. > > Say I live in Rochester, NY. Chances are pretty good that mail I receive > from IP addresses in or near Rochester would be ham (friends/business/etc.) > > Email becomes more "hammy" as it's origination point gets closer to my > physical location (and people I know). > > Being far away doesn't guarantee spam, but being close increases the > chances of ham. > > Of course, this wouldn't help at all with large mail providers like google > and microsoft, however it would help when dealing with local businesses and > friends.
Our experience confirms the above. We are collecting TCP session summary data on SMTP sessions at our MTA by running a p0f (passive operating system fingerprinting utility), and inserting the guessed IP hop count (along with the guessed OS type of a client) as a mail header field. A couple of SpamAssassin rules then asseses this info, and add some negative score points to nearby clients based on an IP hop count: header L_P0F_D1234 X-Amavis-OS-Fingerprint =~ /\bdistance [1-4](?![0-9])/m header L_P0F_D56789 X-Amavis-OS-Fingerprint =~ /\bdistance [5-9](?![0-9])/m header L_P0F_D10 X-Amavis-OS-Fingerprint =~ /\bdistance 10(?![0-9])/m header L_P0F_D11 X-Amavis-OS-Fingerprint =~ /\bdistance 11(?![0-9])/m score L_P0F_D1234 -0.5 score L_P0F_D56789 -0.5 score L_P0F_D10 -0.3 score L_P0F_D11 -0.3 This works well for us and reduces false positives for local traffic, thanks to living in a small country in Europe. Mark
