Blake, there is a perhaps annoying but effective option you can take.
Try running up three or four SpamAssassin configurations and send a
prospective message from a special account you have on another machine
address to your test machine. Then run that email through all of your
spamassassin configurations. The "-C" option can be used to give you
different selections of SARE rules. At least one should be setup with
a thoroughly silly selection of almost all the rules.
I have some places I to which I have subscribed that punch through into
spam classifications, some very regularly (I had to white list them
but they keep changing configurations so the white list does not always
work) and some less regularly. (I generally find if they make it to spam
I'm not interested anyway. But I do check them out, anyway.)
There is no way you can "survive" all SpamAssassin installs. But you
could work with Robert to convince him of your bonafides and at least
for awhile become an entry in his SARE white list rule set. That may
be your best chance to get through spam filters.
(That said I have a few publishers intentionally not white listed here.
They send me ads for "other publications I might be interested in" and,
trust me, I'm not. They also bug me on the telephone. I'm ready to reach
through the telephone mouthpiece and rip a telemarketer's throat out
some day real soon now. THAT is why I have such a tight SpamAssassin
setup here.)
{^_^} Joanne
----- Original Message -----
From: "Blake Gilchrist" <[EMAIL PROTECTED]>
Robert and Matt,
Thanks for taking the time to write such thoughtful replies, it's
appreciated. Please forgive the long reply!
I should have probably gone into more detail about what our company does,
but I didn't dig too deep initially for fear of scaring you off in my
first post! ;) We currently deliver roughly 10 million emails a month to
our registered users (please note again, though - we are talking 100%
opt-in data, and we don't buy in data or lists from anyone; all our data
has been generated in-house) and we use some pretty sophisticated email
hardware and software to manage this.
Our IT manager is pretty up on the technical side of things and has good
relationships with most of the key ISP and web-based email players. I
don't think we've got too many issues on that side of things. We are very
honest and open in our mail headers and sending processes, and host images
and other email-related content on transparently named servers to avoid
possible confusion and reduce False Positives. I'm not too sure about our
ipt-ltd.co.uk web address IP lookup issue, but we send emails from
transparently named domains that definitely don't have issues with IPs or
potentially dodgy names. We are also very clear in all of our email
communications about where the email has come from, and always offer our
users three methods of unsubscribing (via email, online, or by post). We
have very clear privacy policies on all of our consumer-facing websites,
which are linked to in all our email communications.
Robert's comment about which companies we choose to allow to advertise in
our emails is a valid and interesting one. Although we have certainly
never sent emails pertaining to relate to spam or spam services (our
business is too valuable to do so, and I'd certainly have ethical issues
over that), it's interesting to think that some companies or services
could potentially be hampering our ability to output.
Matt's numbered comments were very useful, too - although we've got a
clean bill of health on most of those points. Something I spearheaded
about a year ago was ensuring all of our internal and client emails are
100% HTML validated. I saw this as a no-brainer - it's obvious that as a
legitimate mailer you've got enough problems to deal with without worrying
about being flagged up for simple issues such as mis-matching tag pairs or
bad encoding methods.
It sounds like there probably aren't any sources available with explicit
information regarding SA's rules. It was interesting to read people's
views regarding the rules though. On one hand, you have the argumement
that going into too much detail would aid spammers; on the other, you have
the view that obfuscating the rules only serves to cause as much confusion
for legitimate mailers as it hampers the spammers. The SA website's FAQ
touches on this: "A common question regarding SpamAssassin's rules is, why
aren't they kept secret? Doesn't publishing the rules alert the 'bad
guys', causing them to change their spam patterns to evade the rule? This
is true, but only to a degree. In a way, this is an example of the
'Security through obscurity' fallacy.". I see it as a bit catch-22,
though - if you don't have enough information, it's hard to ensure you're
complying correctly; if you have too much information, it aids spammers.
Being quite technically inclined, we can make sense of most of SA's
rules.. but some are too obscure to make sense of. Whilst it's a valid
comment to say that as a legitimate mailer delivering good quality,
solicited content, that you shouldn't need to worry too much about the
rule specifics, it's quite possible to send a 100% validated HTML email
that on the surface appears to be very clear cut in it's message, isn't
hosting images on suspect domains and is using a sensible balance of code
vs copy, to still fall foul of some standard scoring rules.
So it sounds like my best bet is to ask on this list for info on those
specific few rules which keep nagging at us and we can't make sense of.
And thanks for the abuse.net suggestion Robert, we'll look into that and
make sure it's setup.
Thanks again for your time and help,
Blake
-----Original Message-----
From: Robert Menschel [mailto:[EMAIL PROTECTED]
Sent: 13 October 2005 04:10
To: users@spamassassin.apache.org
Subject: Re: Spam Assasin rule details
Hello Blake,
Wednesday, October 12, 2005, 3:59:47 AM, you wrote:
BG> I work for a marketing company (I feel those groans, believe
BG> me) who only send 100% opt-in emails to our existing users. We're
BG> currently using SpamAssasin internally for pre-checking our email
BG> communications to avoid common problems of false positives.
BG> Although we have a very experienced technical team and can make
BG> sense of a lot of SA's rules, some have left us scratching our
BG> heads.
Personally, I wouldn't worry about those rules, or any SpamAssassin
rules. The rules catch spam. If your email isn't spam, you shouldn't
be matching the rules.
As Matt said, be honest in your headers. Be accurate in who you are
(From), which systems the email goes through, preferably from your own
servers, using your own domain name.
Use a domain name which is identified by a verifiable IP address.
I can't send this response to you, because my email system finds no IP
address for ipt-ltd.co.uk. That will get you blocked by many systems
before your email ever gets anywhere near SpamAssassin. (If I didn't
have some good ideas here that I think might be added to the Wiki, I
wouldn't post this at all because of this possible hiding of your
actual source.)
Use an intelligent message id which ties correctly to your system. Use
an intelligent mailing agent, one which identifies itself in the
headers and which isn't heavily used by spammers. Make sure your date
header is correctly formatted and in the correct time zone.
Using SPF identification for your domain helps. It won't flag
you as a good guy directly, but it will prevent bad guys from
successfully masquerading as you.
Be careful which domains/companies you allow to advertise in your
emails (if any). Allowing spammers to advertise will get your emails
flagged by the URI blacklists. On the other hand, don't advertise your
domains with spammers -- having your domain name listed in their spams
can also get you flagged by some URI blacklists.
Be visible and public in your domain and hosting registrations. If
people who check for you to see whether you might be a spammer, or to
complain/ask about your emails, finds bogus entries in your
registrations, or "private" or "hidden" annotations, that strongly
suggests you are a spammer, hiding from an outraged public. If you are
open about who you are in your registration emails, you'll get some
complains and some queries. Answer those honestly and fully, and you
should stay out of blacklists.
Make sure you have active and monitored abuse@ and postmaster@
addresses. Register them with abuse.net.
Make sure your privacy policy, including enforcement, and including
query contact information, is easily found and clearly stated on your
web site. It's good to include this information in your emails. Again,
people who need to find out whether you're a spammer will often look
for that information.
Matt gave various specifics concerning the email content itself, but
they all boil down to: be open and honest and plain in your emails. If
you try to hide things, or try to use tricks to bypass spam filters,
you'll look like a spammer and you'll be treated like a spammer.
An important trick, if you're using HTML emails, is to use high
quality HTML emails. Don't use tools which generate horrendous HTML
(example: MS Word). They often leave signs behind (like empty tags,
eg: <B></B>) which are generally found in spam. Make sure your HTML is
valid (run it through a decent validator). Unbalanced tags and invalid
tags will also flag an email as spam. If you use a title, make sure
the title is meaningful -- the default titles generated by HTML tools
are often used as spamsign.
If you're using HTML emails, include a text part in the email as well,
for recipients (and anti-spam checkers), and keep that text as close
to the HTML copy as possible. The closer they're related, the less
likely your email will be seen as spam.
OK -- one suggestion which actually does relate to SpamAssassin rules;
don't include gratuitous references to spam subjects. Don't talk about
rolex watches, sexually oriented activities or drugs, or debt
treatment, unless those topics directly relate to your email. And if
they do, limit your email to one topic at a time. An email which
mentions rolex watches, Viagra, porn, and debt all in one email will
very possibly hit several rules that flag it as spam, even if
everything else is clear.
Other ideas can be found at
http://wiki.apache.org/spamassassin/AvoidingFpsForSenders
(and maybe some of these ideas should be added to that page...)
Bob Menschel
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
----------------------------------------------------------------------
This message has been scanned for viruses and dangerous content by
IPT MailScanner, and is believed to be clean.
Interactive Prospect Targeting http://www.ipt-ltd.co.uk/
----------------------------------------------------------------------
----------------------------------------------------------------------
This message has been scanned for viruses and dangerous content by
IPT MailScanner, and is believed to be clean.
Interactive Prospect Targeting http://www.ipt-ltd.co.uk/
----------------------------------------------------------------------
________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
