On 20 Oct 2016, at 12:14, Ian Zimmerman wrote:
Whitelisted senders get a _huge_ bonus (I think it's 100 points by default, maybe customizable), so they won't be affected if you do it right.
The blocker to that approach has already been stated: they have no mechanism for users to add their contacts to the SA static whitelist.
The problem with using the AWL or TxRep databases for this is that they cut both ways and are TOO automatic. This is a legitimate need that lacks a really good solution inside SpamAssassin because it needs to draw on end-user knowledge to exempt specific messages from exterior border filtering. The canonical solution would be to give users a way to feed their important contacts into a static whitelist but as far as I know, there's no widely-used tool for doing that with SA. Everyone seems to build their own idiosyncratic mechanisms for user feedback or they have none.
If one has an existing mechanism for automating user feedback of missed spam into the BayesDB, it could in principle be inverted to let users report mail that should be learned as ham, but that's not really ideal for this case because the problem is in content patterns that are common between the most valuabler and most dangerous messages. Learning a lot of legitimate invoices or other important mail as ham will help the best-crafted spear-phishing messages as well. Also, this is a bit hypothetical given how many users just don't bother with feedback tools or misreport messages.
An alternative (imperfect) approach would be to use a meta rule making the anti-phish local rules strong only if a message lacks trustworthy authentication, e.g. DKIM_VALID_AU. Obviously this will catch legitimate but unsigned mail, however as long as one either tags and delivers spam or rejects it in SMTP, that will provide notice and incentive to get legitimate correspondents to sign their mail. In principle it would be wise for everyone to encrypt all high-value mail, but that's probably too high a bar to require for most businesses. I've seen that tried to some degree, requiring anyone invoicing via email to encrypt invoice mail, but it largely pushed vendors back to postal and non-email electronic mechanisms rather than got them to behave securely.
