At 10:18 AM 8/15/2005, Loren Wilton wrote:
My very minimal experience with Bonded Sender is that the people who
contract directly are mostly fairly legit. The people who contract through
the clever guilt-sharing arrangement at constant contact are spammers.
Agreed.
Be aware though that MANY spammers forge bonded sender tags. If you have
one of the older methods of checking bonded sender, it is very probable that
a lot of your failures are forgeries that the newer bonded sender methods
should correctly detect.
Erm, you're thinking of HABEAS SWE. Bonded sender doesn't have a tag in the
headers, so there's nothing to forge.
Bondedsender is based on your IP address.. Bonded sender works like a
DNSBL, but is a DNSWL (DNS white list).
If BSP_TRUSTED hits in SA one of two things is true:
1) The server delivering mail has a bond, and you can complain and cost the
owner of the server money against the bond.
2) Your trusted_networks isn't set properly, usually due to having a NATed
mailserver, or some other arrangement where the first internet routable,
non-reserved, IP in the headers isn't your server. This causes SA to trust
one more header than it should, and spammers can insert a forged Received:
header that SA will honor for this test that it shouldn't.
Most people having problems with BSP are in category 2, or consider
subscriber mail to be spam. (There is a lot of spam-ish subscriber mail out
there, my users subscribe to lots of it, on purpose, it's often hard for me
to tell without asking the recipient. I also have users that claim that
amazon mail is spam, even though they bought items there and didn't clear
the "send me special offers" check box.)
Of course, there are some real spammers using servers with real bonds...
Start reporting them to bondedsender, the costs will eventually cause them
to cancel the bond.
This goes double for contract-thru arrangements. The cost of the complaint
goes against the bond, which will encourage the bonds owner to reduce spam
volume to reduce their costs. If the money in the bond runs out, their BSP
listing goes away. Although BSP might let them put more money in, you're at
least incurring a direct cost to the sender of spam.
I would not go so far as to say bonded sender is crap. I would however say
that it is of fairly minimal usefulness in detecting whether a message is
spam. The SURBL list, for instance, is far, far, better.
Well, it's *completely* useless at detecting if a message is spam. So as a
primary basis of a spam filter, I agree, it's useless.
BSP only tells you if the sending server has a bond, so it's only useful in
telling you if the message is less likely to be spam.
BSP has no implications that would indicate spam any message. And it
doesn't even tell you the message isn't spam, it only tells you the server
owner is putting his money where his mouth is.
