I thought I'd add DCC_CHECK to the RCVD_IN_MANY rule that's been posted
recently. I made it:
meta L_RCVD_IN_MANY ( RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SBL + RCVD_IN_SORBS +
RCVD_IN_NJABL + RCVD_IN_DYNABLOCK + RCVD_IN_DSBL + RCVD_IN_NJABL_SPAM +
RCVD_IN_NJABL_PROXY + RCVD_IN_RFCI + RCVD_IN_OPM + RCVD_IN_SORBS_HTTP +
RAZOR2_CHECK + DCC_CHECK ) > 2
But even with this rule, I still get:
0.2 NO_REAL_NAME From: does not include a real name
0.1 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes of words
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain
2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[69.160.229.145 listed in dnsbl.sorbs.net]
[216.200.145.37 listed in dnsbl.sorbs.net]
Why hasn't my rule kicked in? It does work for the other RCVD_ terms:
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[68.84.161.191 listed in dnsbl.sorbs.net]
[216.200.145.38 listed in dnsbl.sorbs.net]
0.0 LOCAL_DRUGS_ANXIETY LOCAL_DRUGS_ANXIETY
3.0 L_RCVD_IN_MANY Message received in more than 2 RBLs
I suppose there is also the question whether it is/isn't a good idea to add
DCC_CHECK to this. It does seem to be a pretty good indicator.
