On 9/23/18 8:31 AM, Kevin A. McGrail wrote:
On 9/23/2018 9:04 AM, Henrik Krohns wrote:
I'm curious, are there guidelines on what can be added here? How are these
lists generated? Who verifies and checks that old domains don't age and go
to some spammers etc? Most of the listed stuff seems pretty pointless for
general population. Paypal and other _globally_ known services make sense.
Should we encourage committers to add lists of say local banks and
government institutions? I would have plenty, but I don't know if it's
SpamAssassins purpose to be a global reputation service with all the
maintenance work it requires.
I would say it's valuable and to add it. People can always choose not
to use our rulesets.
I have an automated method to find low-scoring trusted senders from a
highly tuned SA instance. If these entries cause any problems, users
can report it to the mailing list and they will be removed. So far
there has been one entry reported that was too risky for the general
population and it was reported and removed. Otherwise, I have feedback
that it has helped improve FPs.
Keep in mind that these entries are usually subdomains that will not be
user/human mailboxes that can be compromised. These entries are
verified to be system-generated and have other rule hits making them
trustworthy senders that honor opt-out requests without
harvesting/validating the email addresses and handle abuse reports of
their rogue customers.
My goal was to create low/zero risk entries that the mail filtering
industry can see that promotes good SPF, DKIM, and DMARC settings to
raise awareness all around the Internet.
Another purpose of these entries is to allow local meta rules of certain
email content to add points to block junk senders while allowing through
those senders in this list that are known to be good and honor opt-out
requests.
Many of these entries are vetted by private RBLs and DBLs which
indirectly helps those SA installations that aren't able to subscribe to
those RBLs and DBLs or fine tune their SA rules and settings.
I proposed the idea on the mailing list a couple of years ago about
having a centralized clearinghouse of known good senders but no one
stepped up with any ideas. Paul Stead's dkimwl.org is the closest thing
to this that I have found and I think this has been added to 3.4.2
commented out so some may enable it but most won't.
I have local whitelist_auth entries that are several times longer than
what I am putting into SA with zero customer complaints and I am
filtering for about 90,000 mailboxes. I know there are larger SA
environments out there but we all can't publish our local (secret) meta
rules without the spammers abusing them. However, we can publish these
safe senders in the SA ruleset to promote good sending to get on the list.
If we want to document these guidelines for how these entries are
vetted, I will be glad to do that and welcome others to help contribute
to the entries to get input from all around the world since everyone has
different mail flow seeing different trustworthy senders.
Dave
