GBUdb

How do I find out why a specific IP triggered SNF?

You can ask gbudb for its statistics on an IP using SNFClient.

You can look at the gbudb X- headers that were injected for the scan.

You can look at the gbudb data associated with the scan in the log.

The "why" will be that a sufficient number of messages from the IP matched pattern rules and an insufficient number of messages from the IP were clean.

If you want to know which pattern rules matched then look through the logs to find the IP in the GBUdb data for a scan and the scan information will show which pattern rules matched.

IP reputation data is always built from pattern match data on the local system. Other nodes in the GBUdb cloud contribute their opinion early on, but the local node's data always takes precedence.

Specific match information for each IP is not transmitted to us -- each node has its own perspective on each IP. This allows one system to rate an IP differently than another -- for example if one system only ever receives spam from an IP then it may chose to block messages from that IP based on those statistics. Another system that regularly receives valid messages from that IP or perhaps has certain pattern rules blocked which allow messages from that IP will build statistics which show the IP to be a source of good messages.