On 02/17/2014 02:35 PM, Greg Troxel wrote: > I have had a number of experiences complaining about spam from > whitelisted hosts, and (with the exception of hostkarma, which is not > in the default ruleset) found many of my experiences to be > unsatisfactory, to the point that they were escalated to publically > discussing the issue.
Regarding this problem generally, yeah its an issue, especially with one whitelist in particular, that is NOT the ISIPP/IADB. Regarding ISIPP/IADB in particular, I'd be hard-pressed to call it a whitelist. IMHO it would be more accurate to call it a combined whitelist and blacklist... or a reputation list, or something. For instance.. Per http://www.isipp.com/email-accreditation/list-of-codes/ A response of 127.3.100.100 means "The only email which comes from this IP address is mailing list email, and that mailing list email is entirely confirmed (double) opt-in" I'd treat that response as a whitelisting. On the other hand, a response of 127.3.100.1 means "Scrapes addresses, pure opt-out only" I'd tend to treat such a response as a blacklisting. My understanding (which could be mistaken, and hopefully someone more knowledgeable will chime in if I'm wrong) is that listees pay to be listed, but they don't necessarily get to decide under what category. Also, IIRC, by default only certain responses are treated by spamassassin with negative points, certain other responses are treated with adding postive pointage. Now, with regards to the OP's spam sample, the IADB related tests that fired were: RCVD_IN_IADB_DK In other words, sender uses DK or DKIM. Looks accurate to me. RCVD_IN_IADB_DOPTIN_LT50 In other words, sender uses confirmed opt-in *LESS THAN HALF THE TIME* Considering that the sender spammed the OP, this is probably accurate as well. RCVD_IN_IADB_LISTED Ie, the sender is listed. Accurate by its very nature. RCVD_IN_IADB_RDNS Proper RDNS is set up. Again, looks to be accurate. RCVD_IN_IADB_SENDERID Uses sender ID. I didn't check, but wouldn't be surprised if this were true. RCVD_IN_IADB_SPF Since SPF_PASS also fired, this is probably accurate as well. RCVD_IN_IADB_VOUCHED AFAIK simply means that sender has been listed > 6 months, and its practices are consistent with how its listed. Probably accurate. Now, if they IP that sent the OP's spample were listed as using COI all the time, then it would make sense to complain to SuretyMail about it so the listing could be changed - but that is not how it is listed. So, regarding ISIPP/IADB, I don't think the DNSxL operator is to blame for any FNs, nor doing anything improper. Rather, I'd say maybe the scoring defaults should be tweaked a little bit. -- Joe Sniderman <joseph.snider...@thoroquel.org>
