Robert and Matt, Thanks for taking the time to write such thoughtful replies, it's appreciated. Please forgive the long reply!
I should have probably gone into more detail about what our company does, but I didn't dig too deep initially for fear of scaring you off in my first post! ;) We currently deliver roughly 10 million emails a month to our registered users (please note again, though - we are talking 100% opt-in data, and we don't buy in data or lists from anyone; all our data has been generated in-house) and we use some pretty sophisticated email hardware and software to manage this. Our IT manager is pretty up on the technical side of things and has good relationships with most of the key ISP and web-based email players. I don't think we've got too many issues on that side of things. We are very honest and open in our mail headers and sending processes, and host images and other email-related content on transparently named servers to avoid possible confusion and reduce False Positives. I'm not too sure about our ipt-ltd.co.uk web address IP lookup issue, but we send emails from transparently named domains that definitely don't have issues with IPs or potentially dodgy names. We are also very clear in all of our email communications about where the email has come from, and always offer our users three methods of unsubscribing (via email, online, or by post). We have very clear privacy policies on all of our consumer-facing websites, which are linked to in all our email communications. Robert's comment about which companies we choose to allow to advertise in our emails is a valid and interesting one. Although we have certainly never sent emails pertaining to relate to spam or spam services (our business is too valuable to do so, and I'd certainly have ethical issues over that), it's interesting to think that some companies or services could potentially be hampering our ability to output. Matt's numbered comments were very useful, too - although we've got a clean bill of health on most of those points. Something I spearheaded about a year ago was ensuring all of our internal and client emails are 100% HTML validated. I saw this as a no-brainer - it's obvious that as a legitimate mailer you've got enough problems to deal with without worrying about being flagged up for simple issues such as mis-matching tag pairs or bad encoding methods. It sounds like there probably aren't any sources available with explicit information regarding SA's rules. It was interesting to read people's views regarding the rules though. On one hand, you have the argumement that going into too much detail would aid spammers; on the other, you have the view that obfuscating the rules only serves to cause as much confusion for legitimate mailers as it hampers the spammers. The SA website's FAQ touches on this: "A common question regarding SpamAssassin's rules is, why aren't they kept secret? Doesn't publishing the rules alert the 'bad guys', causing them to change their spam patterns to evade the rule? This is true, but only to a degree. In a way, this is an example of the 'Security through obscurity' fallacy.". I see it as a bit catch-22, though - if you don't have enough information, it's hard to ensure you're complying correctly; if you have too much information, it aids spammers. Being quite technically inclined, we can make sense of most of SA's rules.. but some are too obscure to make sense of. Whilst it's a valid comment to say that as a legitimate mailer delivering good quality, solicited content, that you shouldn't need to worry too much about the rule specifics, it's quite possible to send a 100% validated HTML email that on the surface appears to be very clear cut in it's message, isn't hosting images on suspect domains and is using a sensible balance of code vs copy, to still fall foul of some standard scoring rules. So it sounds like my best bet is to ask on this list for info on those specific few rules which keep nagging at us and we can't make sense of. And thanks for the abuse.net suggestion Robert, we'll look into that and make sure it's setup. Thanks again for your time and help, Blake -----Original Message----- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: 13 October 2005 04:10 To: users@spamassassin.apache.org Subject: Re: Spam Assasin rule details Hello Blake, Wednesday, October 12, 2005, 3:59:47 AM, you wrote: BG> I work for a marketing company (I feel those groans, believe BG> me) who only send 100% opt-in emails to our existing users. We're BG> currently using SpamAssasin internally for pre-checking our email BG> communications to avoid common problems of false positives. BG> Although we have a very experienced technical team and can make BG> sense of a lot of SA's rules, some have left us scratching our BG> heads. Personally, I wouldn't worry about those rules, or any SpamAssassin rules. The rules catch spam. If your email isn't spam, you shouldn't be matching the rules. As Matt said, be honest in your headers. Be accurate in who you are (From), which systems the email goes through, preferably from your own servers, using your own domain name. Use a domain name which is identified by a verifiable IP address. I can't send this response to you, because my email system finds no IP address for ipt-ltd.co.uk. That will get you blocked by many systems before your email ever gets anywhere near SpamAssassin. (If I didn't have some good ideas here that I think might be added to the Wiki, I wouldn't post this at all because of this possible hiding of your actual source.) Use an intelligent message id which ties correctly to your system. Use an intelligent mailing agent, one which identifies itself in the headers and which isn't heavily used by spammers. Make sure your date header is correctly formatted and in the correct time zone. Using SPF identification for your domain helps. It won't flag you as a good guy directly, but it will prevent bad guys from successfully masquerading as you. Be careful which domains/companies you allow to advertise in your emails (if any). Allowing spammers to advertise will get your emails flagged by the URI blacklists. On the other hand, don't advertise your domains with spammers -- having your domain name listed in their spams can also get you flagged by some URI blacklists. Be visible and public in your domain and hosting registrations. If people who check for you to see whether you might be a spammer, or to complain/ask about your emails, finds bogus entries in your registrations, or "private" or "hidden" annotations, that strongly suggests you are a spammer, hiding from an outraged public. If you are open about who you are in your registration emails, you'll get some complains and some queries. Answer those honestly and fully, and you should stay out of blacklists. Make sure you have active and monitored abuse@ and postmaster@ addresses. Register them with abuse.net. Make sure your privacy policy, including enforcement, and including query contact information, is easily found and clearly stated on your web site. It's good to include this information in your emails. Again, people who need to find out whether you're a spammer will often look for that information. Matt gave various specifics concerning the email content itself, but they all boil down to: be open and honest and plain in your emails. If you try to hide things, or try to use tricks to bypass spam filters, you'll look like a spammer and you'll be treated like a spammer. An important trick, if you're using HTML emails, is to use high quality HTML emails. Don't use tools which generate horrendous HTML (example: MS Word). They often leave signs behind (like empty tags, eg: <B></B>) which are generally found in spam. Make sure your HTML is valid (run it through a decent validator). Unbalanced tags and invalid tags will also flag an email as spam. If you use a title, make sure the title is meaningful -- the default titles generated by HTML tools are often used as spamsign. If you're using HTML emails, include a text part in the email as well, for recipients (and anti-spam checkers), and keep that text as close to the HTML copy as possible. The closer they're related, the less likely your email will be seen as spam. OK -- one suggestion which actually does relate to SpamAssassin rules; don't include gratuitous references to spam subjects. Don't talk about rolex watches, sexually oriented activities or drugs, or debt treatment, unless those topics directly relate to your email. And if they do, limit your email to one topic at a time. An email which mentions rolex watches, Viagra, porn, and debt all in one email will very possibly hit several rules that flag it as spam, even if everything else is clear. Other ideas can be found at http://wiki.apache.org/spamassassin/AvoidingFpsForSenders (and maybe some of these ideas should be added to that page...) Bob Menschel ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ---------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by IPT MailScanner, and is believed to be clean. Interactive Prospect Targeting http://www.ipt-ltd.co.uk/ ---------------------------------------------------------------------- ---------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by IPT MailScanner, and is believed to be clean. Interactive Prospect Targeting http://www.ipt-ltd.co.uk/ ---------------------------------------------------------------------- ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
