I love documentation :-) -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Sun, Sep 23, 2018 at 10:15 AM Dave Jones <[email protected]> wrote: > On 9/23/18 8:31 AM, Kevin A. McGrail wrote: > > On 9/23/2018 9:04 AM, Henrik Krohns wrote: > >> I'm curious, are there guidelines on what can be added here? How are > these > >> lists generated? Who verifies and checks that old domains don't age > and go > >> to some spammers etc? Most of the listed stuff seems pretty pointless > for > >> general population. Paypal and other _globally_ known services make > sense. > >> > >> Should we encourage committers to add lists of say local banks and > >> government institutions? I would have plenty, but I don't know if it's > >> SpamAssassins purpose to be a global reputation service with all the > >> maintenance work it requires. > > > > I would say it's valuable and to add it. People can always choose not > > to use our rulesets. > > > > I have an automated method to find low-scoring trusted senders from a > highly tuned SA instance. If these entries cause any problems, users > can report it to the mailing list and they will be removed. So far > there has been one entry reported that was too risky for the general > population and it was reported and removed. Otherwise, I have feedback > that it has helped improve FPs. > > Keep in mind that these entries are usually subdomains that will not be > user/human mailboxes that can be compromised. These entries are > verified to be system-generated and have other rule hits making them > trustworthy senders that honor opt-out requests without > harvesting/validating the email addresses and handle abuse reports of > their rogue customers. > > My goal was to create low/zero risk entries that the mail filtering > industry can see that promotes good SPF, DKIM, and DMARC settings to > raise awareness all around the Internet. > > Another purpose of these entries is to allow local meta rules of certain > email content to add points to block junk senders while allowing through > those senders in this list that are known to be good and honor opt-out > requests. > > Many of these entries are vetted by private RBLs and DBLs which > indirectly helps those SA installations that aren't able to subscribe to > those RBLs and DBLs or fine tune their SA rules and settings. > > I proposed the idea on the mailing list a couple of years ago about > having a centralized clearinghouse of known good senders but no one > stepped up with any ideas. Paul Stead's dkimwl.org is the closest thing > to this that I have found and I think this has been added to 3.4.2 > commented out so some may enable it but most won't. > > I have local whitelist_auth entries that are several times longer than > what I am putting into SA with zero customer complaints and I am > filtering for about 90,000 mailboxes. I know there are larger SA > environments out there but we all can't publish our local (secret) meta > rules without the spammers abusing them. However, we can publish these > safe senders in the SA ruleset to promote good sending to get on the list. > > If we want to document these guidelines for how these entries are > vetted, I will be glad to do that and welcome others to help contribute > to the entries to get input from all around the world since everyone has > different mail flow seeing different trustworthy senders. > > Dave >
