"Kevin A. McGrail" <kmcgr...@pccc.com> writes: > We do have a policy for this: > http://wiki.apache.org/spamassassin/DnsBlocklistsInclusionPolicy
Sorry for the delay. For some reason firefox will not load that page,
but will load other wiki pages; I gave up after a bit and fetched it a
different way.
So relative to what I was trying to say, that policy isn't good enough.
I think it's pretty easy to fix. The core issue is that running a
whitelist where people on the whitelist pay the whitelist provider is an
enormous conflict of interest. Mitigating that conflict of interest is
necessary, and is the duty of ASF as a public charity.
For normal rules, positive or negative points are helpful more than they
hurt, and there are some errors. That's fine, and unavoidable. For
pay-to-play whitelists, the situation is more complicated, as whitelist
operators can essentially sell negative points, and the only real
pressure is to kick them out of the default ruleset. So we get into
game theory rather than the normal probability.
To fix this, I'd add to the policy:
* Whitelists must either
a) be widely known or documented to not accept any compensation,
direct or indirect, from listed entities, so that they are clearly
free from a conflict of interest, or
b) meet the following transparency and responsiveness rules
i) Have a page on the SA wiki which points to the way to
complain.
ii) On the main web page of the whitelist, have a prominent link
about how to file a complaint about receiving spam from
whitelisted entities. This must be sufficiently prominent that
the number of people who fail to find it is essentially zero,
and it should have equal or greater billing than material aimed
at senders.
iii) Complaints received should get a response with an incident
number (or equivalent) within a business day.
iv) Complaints should be dealt with within a week by either
delisting the offending entity or addressing the issue so that
no spam recurs. (For the purposes of this guideline, invitations
sent by a site to an address which was taken from an uploaded
address book or equivalent are considered to be spam.)
I'm explicitly separating pay-to-play whitelist and others; the
requirements are only on the paid whitelists. The requirements aren't
onerous; they are basic steps any paid whitelist should be doing anyway.
If the whitelist company doesn't want to make a wiki page and be
transparent and responsive, SA users shouldn't have that whitelist
imposed on them.
So I'm not sure what you mean about volunteers; I view this as a basic
policy problem rather than a needs-implementation problem. Once policy
is declared, almost all the work is on the part of paid whitelist
operators to do things they should have been doing anyway.
Greg
pgprdVQSgFTDi.pgp
Description: PGP signature
