On Thu, 3 Mar 2016 15:18:36 +0100 Reindl Harald wrote: > it would at best end in the rule get such a low score that it is the > same as disable it entirely - so the only correct thing to do is stop > the foolish deep-header parsing > > why? > > because *then* it would no longer hit any relevant amount of ham and > QA corpus over time could score it higher in a safe way
If that were supported by the corpus it would already have happened. FSL_HELO_BARE_IP_1 is a last-external check FSL_HELO_BARE_IP_2 is a deep check with some additional exclusions These are mutually exclusive _1 suppresses _2 RCVD_NUMERIC_HELO is an independent deep check and overlaps heavily with either FSL_* rule. score FSL_HELO_BARE_IP_1 2.598 1.426 3.099 2.347 score FSL_HELO_BARE_IP_2 1.498 1.499 1.498 1.499 score RCVD_NUMERIC_HELO 0.001 0.865 0.001 1.164 So typically you have last-external: FSL_HELO_BARE_IP_1 + RCVD_NUMERIC_HELO = 3.511 deep: FSL_HELO_BARE_IP_2 + RCVD_NUMERIC_HELO = 2.663 The deep check does score lower, but not by much. What make this all the more remarkable is that at the time you brought it up, the meta rules were wrong and most of the hits that should have gone to FSL_HELO_BARE_IP_1 were going to FSL_HELO_BARE_IP_2 instead, so you probably overestimated the spam hitting the deep rule.
