Re: IADB whitelist

2017-12-25 Thread Bill Cole 

On 25 Dec 2017, at 3:28 (-0500), Sebastian Arcus wrote:

Also, any idea why are there 6 different rules associated with this 
particular whitelist?


IADB has many independent return codes that each have distinct meaning. 
See 
http://www.isipp.com/email-accreditation/about-the-codes/list-of-codes/ 
for details.


If you get mail from an IADB-listed sender that you are 100% sure is 
spam (i.e. not "I would never ask for such mail" but "the recipient 
absolutely did not consent to receiving this mail.") then you should 
report that to ISIPP. "ab...@suretymail.com" is the reporting address 
listed on their website and while I've not had cause to use it, people I 
trust with no reason to lie say that reports to that address do actually 
work to either change sender behavior or eliminate listings. Anne 
Mitchell (head of ISIPP) is an ex-coworker of mine whose integrity and 
dedication to the anti-spam fight (which is dependent on keeping 
*wanted* mail deliverable) I can personally vouch for.


However, the different responses from IADB are VERY nuanced and the two 
strongest rules you listed (RCVD_IN_IADB_OPTIN and RCVD_IN_IADB_VOUCHED) 
are essentially "good intentions" markers. Due to unfortunate 
terminology choices by ISIPP and a willingness to engage in nuance and 
estimate intentions, those aren't really as worthwhile as they might 
seem. The IADB definition of "All mailing list mail is opt-in" is 
(effectively) "we believe that this ESP believes in good faith that 
every recipient has chosen to receive this mail." Their "vouching" for a 
record is an assertion that either the ESP is personally known to ISIPP 
staff as competent and honest OR has maintained stable positive listings 
for >6 months. I'm pretty sure I don't want ANY score for a non-vouched 
record and unlike ISIPP (and some valuable SA contributors!) I really 
don't care much about ESPs' intentions or responsiveness to complaints, 
only about actual spamming behavior. So I have made substantial 
modification on my own system to how IADB results are scored, but those 
specific adjustments are probably not fit for most other sites.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: IADB whitelist

2017-12-25 Thread Sebastian Arcus 


On 25/12/17 10:45, Reindl Harald wrote:



Am 25.12.2017 um 09:28 schrieb Sebastian Arcus:

On 23/12/17 10:01, Kevin A. McGrail wrote:
The 1st step is that a representaive of the rbl asks us to consider 
for inclusion.


Thank you. If enough people receive spam sanctioned by a particular 
whitelist, will the minus scores associated with their rule(s) be 
reduced over time?


maybe, but why not just override the score in local.cf

/etc/mail/spamassassin/local-*.cf
score RCVD_IN_IADB_DK -0.3
score RCVD_IN_IADB_DOPTIN -1.0
score RCVD_IN_IADB_DOPTIN_GT50 -0.5
score RCVD_IN_IADB_DOPTIN_LT50 -0.1
score RCVD_IN_IADB_LISTED -0.001
score RCVD_IN_IADB_ML_DOPTIN -2.5
score RCVD_IN_IADB_OPTIN -0.05
score RCVD_IN_IADB_OPTIN_GT50 -0.2
score RCVD_IN_IADB_OPTIN_LT50 -0.1
score RCVD_IN_IADB_RDNS -0.05
score RCVD_IN_IADB_SENDERID -0.5
score RCVD_IN_IADB_SPF -0.1
score RCVD_IN_IADB_VOUCHED -2.0


I know I can override the scores for all sorts of things in local.cf. 
The reason I was raising the question is because I was wondering if 
whitelists can be used by unscrupulous marketing organisations to 
effectively undo what is one of the main functions of SA - to reduce or 
stop unsolicited email.




Also, any idea why are there 6 different rules associated with this 
particular whitelist?


these are 6 different lists, just read the description you even posted 
on the right side of the score


Well, they might be technically 6 different lists, but IADB is one 
single entity, and including 6 different whitelists from them only looks 
like a way to reduce the SA score for email from their "certified" 
senders further. After all SA already checks separately for things like 
RDNS, DKIM, SPF.







On December 23, 2017 3:03:26 AM EST, Sebastian Arcus 
 wrote:


    What is the process of including whitelists in SA default 
configs? It is

    not the first time I see pretty obvious mailing list spam which has
    quite high minus scores from 2-3 whitelists included in SA:

    -1.5 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is 
opt-in
   [205.201.128.83 
  listed iniadb.isipp.com 
]
    -0.1 RCVD_IN_IADB_DK    RBL: IADB: Sender publishes Domain 
Keys record

    -0.2 RCVD_IN_IADB_RDNS  RBL: IADB: Sender has reverse DNS record
    -0.0 RCVD_IN_IADB_SENDERID  RBL: IADB: Sender publishes Sender ID 
record
    -2.2 RCVD_IN_IADB_VOUCHED   RBL: ISIPP IADB lists as vouched-for 
sender

    -0.1 RCVD_IN_IADB_SPF   RBL: IADB: Sender publishes SPF record
    -0.0 RCVD_IN_IADB_LISTED    RBL: Participates in the IADB system
    -0.0 RCVD_IN_IADB_OPTIN_GT50 RBL: IADB: Opt-in used more than 50% 
of the

    time


    For the same message, Pyzor has a high score - which is correct:

    2.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
   [cf: 100]
    2.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)

Re: IADB whitelist

2017-12-25 Thread Kevin A. McGrail 
I certainly look at all fns and fps and make changes to try and fix things in 
the overall ecosystem.  

If you have evidence of such problems, throw it in pastebin.

Beyond that I don't usually focus on one rule and you can always override 
scores / disable rules in your own cf file.

I don't remember about iadb but I know isipp is open to input.  You should ask 
them about the 6 rules.
Merry Christmas,
KAM

On December 25, 2017 3:28:11 AM EST, Sebastian Arcus  
wrote:
>On 23/12/17 10:01, Kevin A. McGrail wrote:
>> The 1st step is that a representaive of the rbl asks us to consider
>for 
>> inclusion.
>
>Thank you. If enough people receive spam sanctioned by a particular 
>whitelist, will the minus scores associated with their rule(s) be 
>reduced over time? Also, any idea why are there 6 different rules 
>associated with this particular whitelist?
>
>
>
>> Regards,
>> KAM
>> 
>> On December 23, 2017 3:03:26 AM EST, Sebastian Arcus 
>>  wrote:
>> 
>> What is the process of including whitelists in SA default
>configs? It is
>> not the first time I see pretty obvious mailing list spam which
>has
>> quite high minus scores from 2-3 whitelists included in SA:
>> 
>> -1.5 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is
>opt-in
>>[205.201.128.83
>  listed iniadb.isipp.com
>]
>> -0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain
>Keys record
>> -0.2 RCVD_IN_IADB_RDNS  RBL: IADB: Sender has reverse DNS
>record
>> -0.0 RCVD_IN_IADB_SENDERID  RBL: IADB: Sender publishes Sender ID
>record
>> -2.2 RCVD_IN_IADB_VOUCHED   RBL: ISIPP IADB lists as vouched-for
>sender
>> -0.1 RCVD_IN_IADB_SPF   RBL: IADB: Sender publishes SPF
>record
>> -0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system
>> -0.0 RCVD_IN_IADB_OPTIN_GT50 RBL: IADB: Opt-in used more than 50%
>of the
>> time
>> 
>> 
>> For the same message, Pyzor has a high score - which is correct:
>> 
>> 2.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
>50%
>>[cf: 100]
>> 2.5 RAZOR2_CHECK   Listed in Razor2
>(http://razor.sf.net/)
>>

Re: IADB whitelist

2017-12-25 Thread Sebastian Arcus 

On 23/12/17 10:01, Kevin A. McGrail wrote:
The 1st step is that a representaive of the rbl asks us to consider for 
inclusion.


Thank you. If enough people receive spam sanctioned by a particular 
whitelist, will the minus scores associated with their rule(s) be 
reduced over time? Also, any idea why are there 6 different rules 
associated with this particular whitelist?





Regards,
KAM

On December 23, 2017 3:03:26 AM EST, Sebastian Arcus 
 wrote:


What is the process of including whitelists in SA default configs? It is
not the first time I see pretty obvious mailing list spam which has
quite high minus scores from 2-3 whitelists included in SA:

-1.5 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in
   [205.201.128.83   listed 
iniadb.isipp.com ]
-0.1 RCVD_IN_IADB_DKRBL: IADB: Sender publishes Domain Keys record
-0.2 RCVD_IN_IADB_RDNS  RBL: IADB: Sender has reverse DNS record
-0.0 RCVD_IN_IADB_SENDERID  RBL: IADB: Sender publishes Sender ID record
-2.2 RCVD_IN_IADB_VOUCHED   RBL: ISIPP IADB lists as vouched-for sender
-0.1 RCVD_IN_IADB_SPF   RBL: IADB: Sender publishes SPF record
-0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system
-0.0 RCVD_IN_IADB_OPTIN_GT50 RBL: IADB: Opt-in used more than 50% of the
time


For the same message, Pyzor has a high score - which is correct:

2.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
   [cf: 100]
2.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)