Bill Cole <sausers-20150...@billmail.scconsult.com> writes: 1> On 2025-05-06 at 12:33:00 UTC-0400 (Tue, 06 May 2025 12:33:00 -0400) > Greg Troxel <g...@lexort.com> > is rumored to have said: > [...] >> I think we have arrived at it being time to just drop all VALIDITY >> rules >> from the default rulset. Even if people using them in meta rules have >> to adjust (or add them back as local config). The query limits are so >> low that it is hard to imagine any significant fraction of >> spamassassin >> users being ok with them. > > In what way it is harmful for those rules to be left in place, given > that SA disables 'blocked' DNSBL servers when it encounters them.
It spams the score reports for every mail. It provides advertising for a for-pay BL service. There's a security issue (below). > I'm not a fan of Validity and I don't even believe that they have been > honest here or have acted in good faith. But whether or not we change > the default rules is not based on how trusted the Validity folks are > or even how useless their lists have become. What if we were in a situation where these BLs were not in the default ruleset. Would we consider adding them? I realize we need some hysteresis, but I can't see that we would be even close to adding, given how things are. > I'm always eager to make changes that actually improve SA. I am much > more uneasy about making changes that are entirely cosmetic. There's also the security issue, that default RBLs get a feed of incoming delivery addresses vs receiving DNS querier. Therefore I think default RBLs shoudl only be allowed if they have a credible published privacy policy that says there is no logging of any association from querying IP and mail-sending IP. (I think it's ok to count queries from a querier, and above-the-line to have stats on senders.) To me, it comes down to thinking that there's no way this would get added now.
