I use procmail to tag email before using SA, kind of like an MTA. If the email Received header contains: A) a spammy IP range B) from unknown C) from 192.168.xxx.xxx
Why exactly do you consider NATed systems to be spammy?
Why are you only targeting 192.168.*, what about the class A (10.*), or the class B block range (I forget the IPs)?
For reference, xanadu.evi-inc.com has a 192.168.*.* IP address, it's just NATed for you people on the outside.
However, my workstation's IP is in the 10.* range, and is not hidden. Also, our branch offices use 192.168.*.* subnets, and those aren't hidden and appear in received headers when those stations don't double-relay via an internal mail system in the 10.* block.
Quite frankly, I'm even more shocked at your suggestion that a received: header containing 192.168.*.* is spammy.
This implies to me that either you don't understand the purpose of this block, or don't understand that most modern business networks are NAT based.
As for FP rates... out of 3006 sa-talk/spamassassin-users emails 334 contain 192.168.*.* in their Received: headers.
That's 10% of nonspam mail posted to this list!!!!
4071 snort-users posts have 393 matches. This time slightly less than 10% but still quite high.
Even your own mail contains 192.168.*.*
Received: from pc-00017 (HELO prkvw.com) (192.168.0.17) by pv-linux.prkvw.com (192.168.0.15) with ESMTP; 24 Feb 2004 22:03:38 -0000
The only thing that appears to save you, is that your 192.168.* rule appears to require _both_ 192.168.* and "unknown" at the same time.
However, this is contrary to your described intent.
