On 2025-05-07 at 11:19:47 UTC-0400 (Wed, 07 May 2025 11:19:47 -0400)
Greg Troxel <g...@lexort.com>
is rumored to have said:
Bill Cole <sausers-20150...@billmail.scconsult.com> writes:
1> On 2025-05-06 at 12:33:00 UTC-0400 (Tue, 06 May 2025 12:33:00
-0400)
Greg Troxel <g...@lexort.com>
is rumored to have said:
[...]
I think we have arrived at it being time to just drop all VALIDITY
rules
from the default rulset. Even if people using them in meta rules
have
to adjust (or add them back as local config). The query limits are
so
low that it is hard to imagine any significant fraction of
spamassassin
users being ok with them.
In what way it is harmful for those rules to be left in place, given
that SA disables 'blocked' DNSBL servers when it encounters them.
It spams the score reports for every mail.
Incorrect. Note what SA now does after hitting a BLOCKED rule.
It provides advertising for a for-pay BL service.
Oh come on... Advertising in spam filtering logs and maybe headers?
Quite a stretch.
Note that if any service provider started to really use any ASF
trademarks (such as "SpamAssassin") in advertisement they would tangle
with the ASF legal department.
There's a security issue (below).
I'm not a fan of Validity and I don't even believe that they have
been
honest here or have acted in good faith. But whether or not we change
the default rules is not based on how trusted the Validity folks
are
or even how useless their lists have become.
What if we were in a situation where these BLs were not in the default
ruleset. Would we consider adding them? I realize we need some
hysteresis, but I can't see that we would be even close to adding,
given
how things are.
I would absolutely oppose adding them now, if they had not already been
there for many years.
I'm always eager to make changes that actually improve SA. I am much
more uneasy about making changes that are entirely cosmetic.
There's also the security issue, that default RBLs get a feed of
incoming delivery addresses vs receiving DNS querier. Therefore I
think
default RBLs shoudl only be allowed if they have a credible published
privacy policy that says there is no logging of any association from
querying IP and mail-sending IP.
That's not exactly nothing, but it is awfully close. The fact is that
such associations are far from being useful, because any mail server
will, in normal operation, see connections from everywhere and only ask
about a fraction of connections due to DNS caching and -- for blocked
systems -- SA's dynamic disablement.
(I think it's ok to count queries from
a querier, and above-the-line to have stats on senders.)
To me, it comes down to thinking that there's no way this would get
added now.
That is absolutely true but it is not *for me* a sufficient reason to
remove a longstanding rule. I would need to be convinced that the
marginal improvements in noise and privacy for most users greatly
outweighs the risk that removing the rules will quietly break useful
local configurations.
That's *NOT* a veto, because there is no formal vote being held. Any
committer COULD remove the Validity rules, although I would hope that
would get a broader discussion first. I'm not eager to put my name on
that choice, but if the users and other PMC members broadly want
Validity gone, I won't oppose it any further than this explanation.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
