I'll comment on this before anyone else does. :-)
> Author: quinlan
> Date: Sun May 30 22:55:49 2004
> New Revision: 20683
>
> Modified:
> incubator/spamassassin/trunk/rules/70_testing.cf
> Log:
> removing T_SPF_PASS_NO_SBL - all of my hits are really spam
I don't think any one rule is sufficient to make a simple "does an SPF
record exist" test worthwhile. The test needs to be paired with *actual
domain names* that are known to be good senders.
I took all SPF_PASS hits (318) in the last 14 days of corpus results and
looked at the other rules hit on those spam messages:
318 SPF_PASS <- spammers with SPF records
247 HTML_MESSAGE
239 SPF_HELO_PASS <- both!
197 T_SPF_PASS_NO_SBL
169 URIBL_WS_SURBL
159 RAZOR2_CF_RANGE_51_100
157 URIBL_SBL
134 RAZOR2_CHECK
130 MIME_HTML_ONLY
121 T_SPF_HELO_PASS_NO_SBL
121 RCVD_IN_SBL
114 BAYES_99
112 T_RCVD_IN_SBL
106 URIBL_BE_SURBL
103 T_RATWARE_RCVD_PF_1
98 CLICK_BELOW
... long tail
I don't think any small set of rules is sufficient. And if you include
too many rules, then the entire point of having a negative rule is
missed. We should be attempting to couple SPF pass with specific names.
For example, it should be required for our default whitelist.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
> Author: quinlan
> Date: Sun May 30 22:55:49 2004
> New Revision: 20683
>
> Modified:
> incubator/spamassassin/trunk/rules/70_testing.cf
> Log:
> removing T_SPF_PASS_NO_SBL - all of my hits are really spam
I don't think any one rule is sufficient to make a simple "does an SPF
record exist" test worthwhile. The test needs to be paired with *actual
domain names* that are known to be good senders.
I took all SPF_PASS hits (318) in the last 14 days of corpus results and
looked at the other rules hit on those spam messages:
318 SPF_PASS <- spammers with SPF records
247 HTML_MESSAGE
239 SPF_HELO_PASS <- both!
197 T_SPF_PASS_NO_SBL
169 URIBL_WS_SURBL
159 RAZOR2_CF_RANGE_51_100
157 URIBL_SBL
134 RAZOR2_CHECK
130 MIME_HTML_ONLY
121 T_SPF_HELO_PASS_NO_SBL
121 RCVD_IN_SBL
114 BAYES_99
112 T_RCVD_IN_SBL
106 URIBL_BE_SURBL
103 T_RATWARE_RCVD_PF_1
98 CLICK_BELOW
... long tail
I don't think any small set of rules is sufficient. And if you include
too many rules, then the entire point of having a negative rule is
missed. We should be attempting to couple SPF pass with specific names.
For example, it should be required for our default whitelist.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/