On Dec 4, 2009, at 1:18 AM, jdow wrote: > And JD, I don't see on your site what it "costs" people to get listed > on your DNS approval lists other than some tests and documentation. Is > it possible spammers simply submit some buttered up documentation, get > approved, and accept getting it knocked back off your lists rapidly as > a business "time" expense?
No, there's a lengthy application process and a lot of monitoring involved. I'd be happy to ask someone from the Certification team to join the list and explain further as soon as I can be certain they won't be harassed and insulted here. In the meantime I'll answer as well as I can, considering that I work on entirely different products at Return Path. > I note that JD is quite willing to discuss (and seemed to recommend) > a lowered default score. That seems quite reasonable. The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either. On Dec 4, 2009, at 9:08 AM, Charles Gregory wrote: > As soon as any whitelist service like 'returnpath' accepts a client, they > perform the following: > > 1) Review the client's address list - look for honeypot addresses. > If any are found, clearly the client has not vetted their list. Our staff doesn't review their list, but we do operate a great many honeypots of our own -- and we receive feeds of honeypot messages from ISPs and other data partners. So, spammers can't hide that way. We also get feeds of complaints, where users click "this is spam" in a partner ISP's webmail interface. Spammers can't hide that way, either. (You can see the results of much of this data at senderscore.org.) I saw some other interesting ideas in the conversation, but they all assume the accreditor is able to change messages or otherwise interrupt the sender's mailstream. We don't have that ability, and don't want to. They have to police themselves, or else they get kicked off the list. Simple, neh? On Dec 4, 2009, at 10:06 AM, Greg Troxel wrote: > Probably "SOI" should be entirely dropped. There's only one Safe list (which SA still calls Habeas.) In other words: no difference between the SOI and COI lists. Or at least, that's how it's supposed to be -- so Kris's results were somewhat surprising. On Dec 4, 2009, at 11:08 AM, Charles Gregory wrote: > By the by, I think I posted on this list a while ago on a similar question, > as to whether we could really trust *any* whitelists, as they simply made for > a *deliberate* target of botnet owners. No one made a fuss about it before, > but what about now? Maybe, once again, the flaw is in having a whitelisting > system that relies upon third party servers with unknown security. We're EXTREMELY concerned about this as well, and we've got a 24x7 operations staff keeping an eye on things. That's one of the reasons we charge money for the service: it lets us buy hardware and software and hire staff to keep it running smoothly, and securely. -- J.D. Falk <jdf...@returnpath.net> Return Path Inc
