One possibility, which should be rearranged whenever the scores assigned to each test get out of order.
Basically, only hit a blacklist rule if you're not hitting another, higher scoring blacklist rule. That should pretty much fix the problems of blacklist overlap: False positives from higher rates of overlap than we're seeing in mass-checks, and generated scores for blacklist rules reduced to avoid false positives for overlaps, resulting in unnecessarily low scores on spams where only one of the blacklists hits. Same for whitelists. There are certainly more elegant ways to implement this (that wouldn't require rebuilding if scores change order), but they would require modification to the scoring algorithm and rescorer. Current scores for all RCVD_IN_* rules with a positive score (set 1, net, no bayes), sorted by score: RCVD_IN_PBL 3.558 RCVD_IN_PSBL 2.700 RCVD_IN_SBL 2.596 RCVD_IN_SORBS_HTTP 2.499 RCVD_IN_SORBS_SOCKS 2.443 RCVD_IN_NJABL_RELAY 1.881 RCVD_IN_BRBL_LASTEXT 1.644 RCVD_IN_NJABL_SPAM 1.466 RCVD_IN_RP_RNBL 1.284 RCVD_IN_BL_SPAMCOP_NET 1.246 RCVD_IN_CSS 1.0 RCVD_IN_XBL 0.724 RCVD_IN_SORBS_WEB 0.614 RCVD_IN_NJABL_PROXY 0.208 RCVD_IN_SORBS_DUL 0.001 Change all of those to 0.001, and add, in descending order of score: meta RCVD_IN_WORST_PBL RCVD_IN_PBL meta RCVD_IN_WORST_PSBL RCVD_IN_PSBL && !(RCVD_IN_PBL) meta RCVD_IN_WORST_SBL RCVD_IN_SBL && !(RCVD_IN_PBL || RCVD_IN_PSBL) meta RCVD_IN_WORST_SORBS_HTTP RCVD_IN_SORBS_HTTP && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL) meta RCVD_IN_WORST_SORBS_SOCKS RCVD_IN_SORBS_SOCKS && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP) meta RCVD_IN_WORST_NJABL_RELAY RCVD_IN_NJABL_RELAY && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORBS_SOCKS) meta RCVD_IN_WORST_BRBL_LASTEXT RCVD_IN_BRBL_LASTEXT && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY) meta RCVD_IN_WORST_NJABL_SPAM RCVD_IN_NJABL_SPAM && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT) meta RCVD_IN_WORST_RP_RNBL RCVD_IN_RP_RNBL && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM) meta RCVD_IN_WORST_BL_SPAMCOP_NET RCVD_IN_BL_SPAMCOP_NET && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL) meta RCVD_IN_WORST_CSS RCVD_IN_CSS && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL || RCVD_IN_BL_SPAMCOP_NET) meta RCVD_IN_WORST_XBL RCVD_IN_XBL && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_CSS) meta RCVD_IN_WORST_SORBS_WEB RCVD_IN_SORBS_WEB && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_CSS || RCVD_IN_XBL) meta RCVD_IN_WORST_NJABL_PROXY RCVD_IN_NJABL_PROXY && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_CSS || RCVD_IN_XBL || RCVD_IN_SORBS_WEB) meta RCVD_IN_WORST_SORBS_DUL RCVD_IN_SORBS_DUL && !(RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SBL || RCVD_IN_SORBS_HTTP || RCVD_IN_SORB S_SOCKS || RCVD_IN_NJABL_RELAY || RCVD_IN_BRBL_LASTEXT || RCVD_IN_NJABL_SPAM || RCVD_IN_RP_RNBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_CSS || RCVD_IN_XBL || RCVD_IN_SORBS_WEB || RCVD_IN_NJABL_PROXY) I would expect rescoring to give all of these higher scores. -- "It is the first responsibility of every citizen to question authority." - Benjamin Franklin http://www.ChaosReigns.com
