http://bugzilla.spamassassin.org/show_bug.cgi?id=3216 quinlan@pathname.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From quinlan@pathname.com 2004-03-26 13:38 -------
Hi Bob, yes, that's a great rule. I worked on this for a while last month,
the original rule came from Martin Radford in bug 2992 (L_SPAMMY_RCVD), but
it evolved quite a bit after that.
In SVN, the rules are now:
RCVD_DOUBLE_IP_SPAM
RCVD_DOUBLE_IP_LOOSE
(the two don't overlap at all due to some meta usage)
results for everyone in nightly corpus:
26.009 31.5196 0.0033 1.000 0.98 1.00 RCVD_DOUBLE_IP_SPAM
5.464 6.6032 0.0868 0.987 0.91 1.00 RCVD_DOUBLE_IP_LOOSE
my results vs. T_SUSP_IP_RECEIVED:
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
29409 14430 14979 0.491 0.00 0.00 (all messages)
100.000 49.0666 50.9334 0.491 0.00 0.00 (all messages as %)
8.066 16.4380 0.0000 1.000 1.00 1.00 RCVD_DOUBLE_IP_SPAM
5.192 10.5475 0.0334 0.997 0.98 0.01 T_SUSP_IP_RECEIVED
2.149 4.3590 0.0200 0.995 0.96 1.00 RCVD_DOUBLE_IP_LOOSE
Looking at the T_SUSP_IP_RECEIVED spam hits, there were 1522 spam hits
which hit these related and semi-related rules (count, rule):
1522 T_SUSP_IP_RECEIVED
1522 RCVD_BY_IP
1520 RCVD_DOUBLE_IP_SPAM
232 T_RCVD_NUMERIC_HELO
231 RCVD_HELO_IP_MISMATCH
212 RCVD_NUMERIC_HELO
2 RCVD_DOUBLE_IP_LOOSE
so it looks like we're pretty well covered, so I'm closing as a
duplicate.
It might be worth trying a variation of the RCVD_DOUBLE_IP rules just
looking for actual IP addresses instead of using \d{1,3}, but I doubt
that would remove a significant number of false positives.
*** This bug has been marked as a duplicate of 2992 ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.