> Just a thought - what if we had some central servers for real time
> reporting where the SA rule hits and scores were reported in real time for
> some sort of live scoring or analysis or dynamic adjusting? Just thinking
> out loud here.


Something I've wanted to see for about 4 years now; ie: as long as I've been
using SA. You could think of it as a super mass-check in realtime.

There are arguments that large hosting companies wouldn't let the data out
because it woudl compromise their mail stream. That would of course be true
if the sent the mail. If they just send the cumulative scores over the last
hour or whatever I don't see that being true; although doubtless some would
still consider that to be the case and wouldn't send it.

However, I'd bet that enough info would arive from all parts of the globe to
be able to do weekly or maybe even every few hours rescoring runs and
publish new scores, pretty much like the virus guys publish new signatures
pretty quickly.

There is the question of how to integrate the new scores with local
rescoring, and even with local rules that were scored based on the original
score of the stock rules.

I think there are a half-dozen solutions to this that would be moderately
easy to implement. The most obvious would be sending score updates either
in the form of a multiplier or an adder to the original rule score rather
than as a raw score; this would preserve local overrides while still
adjusting the score to match daily hit rates. (Don't bother me with the
obvious point of adjusting zeroed scores off of zero. That is an exception
that simply has to be handled in the score readjustment; it isn't a
concept-breaker.)

If the rescoring client at a site wanted to be fancy, it could even send an
optional email to the mail admin telling him that some local rule is bad for
his health or that some zeroed rule has now become useful and should be
unzeroed. Or the like.

Loren