|
I used several years worth of notes to come up with the information
below. It needs more polish and it is my very first rip and shred.
I am also certain that I've missed some great points others have
made. So I am posting this to solicit feedback on this draft so I can then submit it to the PMC for approval. Just to be very clear, this is NOT a draft approved by the PMC but it is based heavily on consensus and many many threads from committee members. regards, KAM Apache SpamAssassin PMC Criteria for DNSBL Inclusion [DRAFT] GOAL: To produce an objective criteria for inclusion of DNS-blocklists (DNSBLs) including free and semi-commercial services that promotes the ability to include more tests in a manner that is fair to the community and the service provider. All services, whether free, commercial or semi-commercial services must meet this criteria for default inclusion in SpamAssassin's rules: - May not block queries by returning purposefully wrong answers from over-quota or abusive IPs. - The usage policy and any limits or restrictions must be documented and publicly visible with clearly defined terms. (Terms such as "heavy load" are not acceptable). - Should be "free for most" installations. - May use limits such as DNS query limits per day but may not limit on the number of users or other arbitrary caps that can't be correlated to a direct increase in expenses. - Should use a query response and rule that indicates a system is over limit. Such response must adds substantial no scoring difference and link only to a generic DNSBL Block page such as http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block. - Must have an existing or planned infrastructure capable of the anticipated query load. - Must give the project permission to include the rules by default. - Daily query limits that have limited to 100k queries per day have been considered acceptable. - Free access by request to rsync feeds for RBLDNSD is considered unlimited access. - The addition of new blocklists should be done only in conjunction with a new major release and should be version encapsulated so that existing admins can decide to use them if possible in older installations. - A formal vote in bugzilla is required before a network-based test is added to a sandbox. - Blocklists must meet acceptable mass-check scoring critera to be considered for default inclusion. Testing is mandatory and the higher the S/O, the better. - May not have significant reliability issues. - Must have clear rules and procedures that are followed uniformly for listings and de-listings. - May not accept funds to remove/list/delist/expedite or otherwise non-objectively handle their lists. - Should use lastexternal or lasttrusted testing unless there is an overwhelming benefit otherwise. - May require signing up for an account / mailing list / etc. for the purpose of notifying Admins of changes and problems. Semi-commercialized services aka "Free for Some" must meet this additional criteria for default inclusion in SpamAssassin's rules: - Must be free for any kind of person or organization to use, commercial, government, or home user. - May impose licensing limitations on use as a "anti-spam reseller" or directly reselling spam filtering services. - Must not attempt to retroactively bill users that have exceeded any free limits. - May not be a trial or limited time offer. Services that are completely commercial are not eligible to be enabled by default. --
Kevin A. McGrail President
Peregrine Computer Consultants Corporation
703-359-9700 x50 / 800-823-8402 (Toll-Free)
 |
