From a6556bd540067b8c79c2a1214d886f8269f30531 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Feb 2026 20:10:28 -0500
Subject: [PATCH] Apply false positive reduction filter to mail-log-analyzer.sh

- Add same post-extraction filtering as email-diagnostics.sh
- Filter out negation keywords, question contexts, and non-RBL blocks
- Ensures consistency across all blacklist detection tools
- Prevents over-reporting of blacklist issues in mail analysis

Same exclusion patterns used:
- Negations: "not blacklisted", "delisted", "removed from"
- Questions: "check if", "if your server"
- General descriptions: "we block", "rarely", "based on sender"
- Non-RBL blocks: "firewall", "policy block", "rate limit"

This ensures mail-log-analyzer provides same high-accuracy
blacklist detection as email-diagnostics and other tools.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/email/mail-log-analyzer.sh | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/modules/email/mail-log-analyzer.sh b/modules/email/mail-log-analyzer.sh
index 1fb5448..eb5fcdf 100755
--- a/modules/email/mail-log-analyzer.sh
+++ b/modules/email/mail-log-analyzer.sh
@@ -73,6 +73,20 @@ detect_blacklist_issues() {
     # Includes explicit RBL keywords, provider-specific patterns, and error codes
     grep -iE "blacklist|block list|RBL|DNSBL|listed in|blocked using|on our block list|S3150|S3140|AS\(48|CS01|local policy|gmail.*(suspicious|reputation|spam|detected).*reputation|gmail.*detected.*suspicious|spamhaus|barracuda|spamcop|sorbs|abuseat|yahoo.*block|yahoo.*reject|aol.*block|aol.*reject|me\.com.*reject|icloud.*reject|mac\.com.*reject|protonmail.*block|protonmail.*reject|pm\.me.*reject|zoho.*block|zoho.*reject|fastmail.*block|fastmail.*reject|outlook.*block|hotmail.*block|live\.com.*block|msn\.com.*block" "$log_file" 2>/dev/null > "$temp_file"
 
+    # ENHANCED: Filter out false positives (same as email-diagnostics.sh)
+    # Exclude negation keywords, question contexts, and non-RBL blocks
+    if [ -s "$temp_file" ]; then
+        local temp_filtered="/tmp/blacklist_detections_filtered.$$"
+        grep -vE "not blacklist|not listed|NOT listed|no.*longer|removed from|delisted|successfully delisted|you.*can.*now|check if|if.*server|if your|we block|some.*block|unlike|rarely|are rare|except|not.*block|not.*in|but.*policy|policy.*block|firewall|rate limit|internally|internal.*block|local.*block|rejected.*not.*blacklist|based on sender|blocks are" "$temp_file" > "$temp_filtered" 2>/dev/null || true
+
+        if [ -s "$temp_filtered" ]; then
+            mv "$temp_filtered" "$temp_file"
+        else
+            # All messages were false positives, clear the file
+            > "$temp_file"
+        fi
+    fi
+
     if [ -s "$temp_file" ]; then
         local count=$(wc -l < "$temp_file")
         ISSUES_FOUND["blacklist"]=$count