SB_NEW_BULK & SB_NSP_VOLUME_SPIKE

[Bill Landry <bi...@pointshare.com>]

I noticed that the devs included the above experimental SenderBase tests
with SA 3.0.x, so I enabled them a few weeks ago and have found them to work
quite nicely.  The SB_NEW_BULK test has a much higher hit ratio, and
provides more accurate results than the SB_NSP_VOLUME_SPIKE test does, but
both have proved to be nice additional spam tests.

Set a low score for them in your local.cf and see how they work for you.

You can find the following info about these tests in your SA rules directory
in the 20_dnsbl_tests.cf file:
=====
# SenderBase information <http://www.senderbase.org/dnsresponses.html>
# these are experimental example rules

# sa.senderbase.org for SpamAssassin queries
# query.senderbase.org for other queries
header __SENDERBASE eval:check_rbl_txt('sb', 'sa.senderbase.org.')
tflags __SENDERBASE net

# S23 = domain daily magnitude, S25 = date of first message from this domain
header SB_NEW_BULK              eval:check_rbl_sub('sb', 'sb:S23 > 6.2 &&
(time - S25 < 120*86400)')
describe SB_NEW_BULK            Sender domain is new and very high volume
tflags SB_NEW_BULK              net

# S5 = category, S40 = IP daily magnitude, S41 = IP monthly magnitude
# note: accounting for rounding, "> 0.3" means at least a 59% volume spike
header SB_NSP_VOLUME_SPIKE      eval:check_rbl_sub('sb', 'sb:S5 =~ /NSP/ &&
S41 > 3.8 && S40 - S41 > 0.3')
describe SB_NSP_VOLUME_SPIKE    Sender IP hosted at NSP has a volume spike
tflags SB_NSP_VOLUME_SPIKE      net
=====

Bill