>>Kevin A. McGrail skrev den 2017-01-25 16:46:
>>> On 1/25/2017 9:10 AM, David Jones wrote: >>>> Could we build a tool like masscheck to help extend these >>>> entries for trusted senders that are known to maintain >>>> proper SPF, DKIM, DMARC with valid opt-out processing? >>>> >>> Off the cuff, this sounds like the concept of more than a few whitelist >>> RBLs. >>dkim is domain based, spf and dmarc is ip based, so not really easy to >>use a ip based rbl :=) >This is very different than IP-based checks like RBLs. A single IP can >send email for multiple domains so SPF would pass on some domains >and could fail for other domains. The reverse is also possible that >spammers can setup perfect SPF, DKIM, DMARC, and FCrDNS and not >have their IP listed on any RBLs for a short period of time. >There is a distinction between the reputation of an IP and the reputation >of a domain that is very helpful for spam detection. This is proven in >the SA rule files 60_whitelist_spf.cf and 60_whitelist_dkim.cf. All I have >done is automate a process to extend it to about 3,000 entries of trusted >senders making my filtering very accurate with fewer complaints by my >customers. Here is an example I just received: http://pastebin.com/fwbgMKF4 This message is very spammy looking and hit a high BAYES_ rule but was sent from a trustworthy sender with good SPF, DKIM and opt-out. The IP was not listed on any major RBLs at the time it was received. Everything looks good and should have been passed through to the recipient but my SA blocked it primarily due to BAYES_95. If I train my Bayes DB with this email as ham, then other similar spam could start scoring lower and get through. In this case, I want to trust the reputation of the sender more than the content so I have added it to my whitelist_auth list. whitelist_auth *@info.spectrum.com
