Return Path (TM) whitelists

[Ian Zimmerman <it...@buug.org>]

I just got in my inbox what I consider spam from the Belgian domain
selling Japanese copiers & printers (you probably know which one).  What
made it pass through SA were RCVD_IN_RP_CERTIFIED and RCVD_IN_RP_SAFE.
Together they account for a whopping -5 points - a poison antidote pill!
Isn't that a bit excessive?  In fact, since Return Path explicitly
advertises itself as a service for marketers, and I _never_ knowingly
subscribe to a marketing list, these scores should be (smallish)
positive as far as I'm concerned.

Also, I'm unsure what membership in SAFE means, the Return Path website
doesn't mention it prominently, as it does their certification program.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

Re: Return Path (TM) whitelists

[David Jones <dj...@ena.com>]

>On 2015-07-09 16:58 +0000, David Jones wrote:

>> Did the email have a valid unsubscribe link/process?

>It is in Dutch, and I can't read Dutch.
>(Yes, I do use the language plugin.)

>> I shortcircuit as ham for these two rule hits and never have had a
>> report of spam that couldn't be reliably/safely unsubscribed from.  (I
>> filter about 90,000 mailboxes.)

>How can I tell if it is safe if I can't even read the message?

Unfortunately this is not easy and takes years of doing mail
support before you can tell.  Here's what I have found over
the years:

First. Hover over the link and make sure it's going to take you where
 you think it should or where they claim they are going to take you.

Characteristics of legit unsubscribe links:
1. They use a GUID (unique identifier) in the URL and not your
email address.
2. The unsubscribe form shows you your email address (or 
partial email address for security).  Make sure your email
address is not in the link (#1) since this will mean they have
a database that ties the GUID back to your email address.

Characteristics of a bad unsubscribe process:
1. They require you to reply with a specific subject.
2. They make you type in your complete email address.  This
could be harvesting or validating your email address for more
spam to be sent your way.

>But in general, to me it is spam if I didn't explicitly subscribe.  And
>I didn't.

There is difference between spam and UCE (unsolicited commercial
email).  Everyone may define these a little differently but I classify
what you got as UCE.  Spam, to me, is malicious like viruses, malware,
phishing, etc.  Spam tends to come from untrusted mail servers with
some coming from normally trusted mail servers that had an account
compromised.  These tend to become listed on RBLs fairly quickly so
the majority can be handled with a good RBL setup in the MTA.

UCE tends to be more trusted mail servers that want to send you
marketing crap to get you to buy something.  These trusted mail
servers should be allowed through as long as they have a reliable
unsubscribe process.  This puts the control back in the recipient's
hands/mouse since some may want it and others may not.

Email addresses are bought and sold all of the time and make their
way onto legit sending platforms and servers by unscrupulous
senders.  You shouldn't penalize legit senders that follow the rules
(i.e. constantcontact.com, mailchimp.com, etc.) and provide
legitimate unsubscribe methods.  Just unsubscribe from the 
trustworthy senders usually in whitelists like Return Path and
others.  If they start abusing things, most of the good ones will
have an abuse reporting system so look in the headers and report
the abuse so they can crack down on their bad customers.

Re: Return Path (TM) whitelists

[Ian Zimmerman <it...@buug.org>]

On 2015-07-09 16:58 +0000, David Jones wrote:

> Did the email have a valid unsubscribe link/process?

It is in Dutch, and I can't read Dutch.
(Yes, I do use the language plugin.)

> I shortcircuit as ham for these two rule hits and never have had a
> report of spam that couldn't be reliably/safely unsubscribed from.  (I
> filter about 90,000 mailboxes.)

How can I tell if it is safe if I can't even read the message?

But in general, to me it is spam if I didn't explicitly subscribe.  And
I didn't.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

Re: Return Path (TM) whitelists

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>>I just got in my inbox what I consider spam from the Belgian domain
>>selling Japanese copiers & printers (you probably know which one).  What
>>made it pass through SA were RCVD_IN_RP_CERTIFIED and RCVD_IN_RP_SAFE.
>>Together they account for a whopping -5 points - a poison antidote pill!
>>Isn't that a bit excessive?  In fact, since Return Path explicitly
>>advertises itself as a service for marketers, and I _never_ knowingly
>>subscribe to a marketing list, these scores should be (smallish)
>>positive as far as I'm concerned.

On 09.07.15 16:58, David Jones wrote:
>Did the email have a valid unsubscribe link/process?
>
>I shortcircuit as ham for these two rule hits and never have had
>a report of spam that couldn't be reliably/safely unsubscribed from.
>(I filter about 90,000 mailboxes.)

well, I have increased their scores to 1% of its value (-2 to -0.02 etc)
I only remember getting spam with these SA headers and I remember it was
hard (if not impossible) to find spam report link on their site.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 

Re: Return Path (TM) whitelists

[David Jones <dj...@ena.com>]

>From: Ian Zimmerman <it...@buug.org>
>Sent: Thursday, July 9, 2015 11:02 AM
>To: users@spamassassin.apache.org
>Subject: Return Path (TM) whitelists

>I just got in my inbox what I consider spam from the Belgian domain
>selling Japanese copiers & printers (you probably know which one).  What
>made it pass through SA were RCVD_IN_RP_CERTIFIED and RCVD_IN_RP_SAFE.
>Together they account for a whopping -5 points - a poison antidote pill!
>Isn't that a bit excessive?  In fact, since Return Path explicitly
>advertises itself as a service for marketers, and I _never_ knowingly
>subscribe to a marketing list, these scores should be (smallish)
>positive as far as I'm concerned.

Did the email have a valid unsubscribe link/process?

I shortcircuit as ham for these two rule hits and never have had
a report of spam that couldn't be reliably/safely unsubscribed from.
(I filter about 90,000 mailboxes.)

Post the email via pastebin.com if you want further help.

>Also, I'm unsure what membership in SAFE means, the Return Path website
>doesn't mention it prominently, as it does their certification program.

Re: Return Path (TM) whitelists

[Dianne Skoll <df...@roaringpenguin.com>]

On Wed, 15 Jul 2015 15:23:44 -0700
Dave Warren <da...@hireahit.com> wrote:

> Huh? Last I looked, somewhere near 80% of my legitimate mail flow
> passes SPF. It wouldn't shock me if this has gone higher.

That's not what we see.  We see quite a lot of legitimate mail
that either doesn't have SPF in place at all or hits softfail.  Some
even hits fail.

> While a lot of spam does too, SPF:PASS alone doesn't really mean 
> anything,

No, it does not, but (at least for the mail we see) if SPF:PASS were a
Bayes token, it would be slightly on the spammy side, though not
extremely strongly.

> I'd suggest that SPF:PASS means you can rely on domain based logic 
> (trusts/whitelists/reputation) rather than only IP based logic,
> allowing you to safely whitelist "example.com" without guessing what
> IPs example.com uses (and might use tomorrow.)

In our commercial service, we have the very mild policy that a sender
whitelist or domain whitelist is ignored in the event of SPF softfail
or fail.  You would not believe the number of support calls we get
from clients asking for this to be disabled because their legitimate
correspondents have broken SPF. :(

Regards,

Dianne.

Re: Return Path (TM) whitelists

[Dave Warren <da...@hireahit.com>]

On 2015-07-09 15:07, Dianne Skoll wrote:
> Just as SPF "pass" is a mild spam indicator nowadays

Huh? Last I looked, somewhere near 80% of my legitimate mail flow passes 
SPF. It wouldn't shock me if this has gone higher.

While a lot of spam does too, SPF:PASS alone doesn't really mean 
anything, but rather, it should be used as a way to indicate that the 
mail comes from an IP authorized to use the domain in question (or not). 
SPF FAIL/SOFTFAIL is often a bad sign (it either indicates forgery OR 
misconfiguration, so you can treat it with suspicion), but SPF PASS is 
meaningless on it's own.

I'd suggest that SPF:PASS means you can rely on domain based logic 
(trusts/whitelists/reputation) rather than only IP based logic, allowing 
you to safely whitelist "example.com" without guessing what IPs 
example.com uses (and might use tomorrow.)

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: Return Path (TM) whitelists

[Joe Quinn <jq...@pccc.com>]

On 7/9/2015 6:07 PM, Dianne Skoll wrote:
> On Fri, 10 Jul 2015 07:58:39 +1000
> Noel Butler <no...@ausics.net> wrote:
>
>> +1
> I'll throw my +1 in on this also.  Almost by definition, the kinds of
> organizations who buy into these certifications to get their mail
> delivered are unlikely to be the kinds of organizations I want to
> hear from.
>
> Just as SPF "pass" is a mild spam indicator nowadays, so is a "pass"
> on these kinds of certifications.
>
> Regards,
>
> Dianne.
I think your information on SPF is a bit out of date (though indeed when 
the spec was new, you could easily score it quite heavily).

http://ruleqa.spamassassin.org/?daterev=20150709-r1690028-n&rule=SPF_PASS&srcpath=&g=Change
http://ruleqa.spamassassin.org/?daterev=20150709-r1690028-n&rule=SPF_HELO_PASS&srcpath=&g=Change

It's not good enough to give a negative score all by itself, since it's 
still very easy to make useless SPF records, but it's not what it used 
to be.

Re: Return Path (TM) whitelists

[RW <rw...@googlemail.com>]

On Fri, 10 Jul 2015 12:09:27 -0400
Rob McEwen wrote:


>  And some on this thread are not realizing that DNSWL has various
> LEVELS in its ratings of senders


I don't see anything in this thread to suggest that.

> most of the time that
> a virus-sent spam is sent from an IP in DNSWL, it is from an IP that
> is marked by DNSWL as a mixed source.

All of DNSWL's levels are mixed, they've never claimed otherwise. 

Re: Return Path (TM) whitelists

[Rob McEwen <ro...@invaluement.com>]

Also, often, the Return Path certified sender is an ESP who sends for a 
variety of customers. There is not always an absolute guarantee that 
every one of that ESP's customer is ethical and truthful. A good ESP 
will quickly fire such any such "bad apple" customer... but some do a 
much better job than others. Some spend endless amounts of time telling 
blacklists, "we're Return Path certified... and we had this bad 
customer... but we're working with that customer to purge their lists of 
complainers and bad addresses". (iow, help them listwash, keeping them 
on as customers)

ESPs are economically incentivized to keep marginal customers (or 
"pretenders"), and Return Path is economically incentivized to keep 
those grayhat-ESPs.

Yes, at the extremes, customers will be fired in both situations. But 
there is a lot of gray before those extremes trigger a firing. And there 
are many situations where those limits are pushed.

Having said that, those ESPs who choose to push those limits hurt 
themselves in the long run as their domains/IPs start getting dragged 
further and further down in various reputation and anti-spam filtering 
systems. But some of these are managed by 20-something-year old punk 
"kids" who haven't thought that far ahead.

I'm sure Return Path stops lots of this stuff.... but certainly, a 
significant amount of unsolicited messages can "slip through the cracks".

Meanwhile, in contrast, DNSWL is NOT economically incentivized to go 
easy on gray senders. And some on this thread are not realizing that 
DNSWL has various LEVELS in its ratings of senders... where senders of 
BOTH legit mail and spam are marked accordingly. That way, you know to 
not outright block messages from certain "mixed ham/spam" sender's 
IPs... but you shouldn't treat them as fully whitelisted either. That is 
a big difference... therefore, most of the time that a virus-sent spam 
is sent from an IP in DNSWL, it is from an IP that is marked by DNSWL as 
a mixed source.

-- 
Rob McEwen
http://www.invaluement.com/
+1 478-475-9032

Re: Return Path (TM) whitelists

[Dianne Skoll <df...@roaringpenguin.com>]

On Fri, 10 Jul 2015 17:34:06 +0200
Reindl Harald <h....@thelounge.net> wrote:

> it's enough *once time* overlook the small letters besides soem
> checkbox saying "we give your data to our partners" and so agree
> without intention while it's hard to impossible to realize the
> connection when wekks or months later a mail form a 3rd party comes

Yes, that's true.  However, if Return-Path is certifying organizations
that use these sorts of tricks to get people to "agree without
intention", then Return-Path is not doing its job ethically.

Return-Path should have a policy of refusing to certify senders unless
they have a default opted-out policy with a requirement for verified
opt-in.

Regards,

Dianne.

Re: Return Path (TM) whitelists

[Reindl Harald <h....@thelounge.net>]

Am 10.07.2015 um 17:15 schrieb Ian Zimmerman:
> On 2015-07-10 16:36 +0200, Reindl Harald wrote:
>
>> most users enable checkboxes which are needed to get random forms
>> submitted, even if they say "i agree to get mails from here and
>> there" and are missing the context when that mails are coming later
>
> You don't know me, so you can hardly claim a basis to lump me with "most
> users".
>
> I repeat (for the last time, I promise): I didn't subscribe to any
> Belgian/Dutch list.  Not by enabling a checkbox, not otherwise

you asked "Can you specify "user behaviour" in more detail?" and if you 
don't want answers don't ask questions

it's enough *once time* overlook the small letters besides soem checkbox 
saying "we give your data to our partners" and so agree without 
intention while it's hard to impossible to realize the connection when 
wekks or months later a mail form a 3rd party comes

Re: Return Path (TM) whitelists

[Ian Zimmerman <it...@buug.org>]

On 2015-07-10 16:36 +0200, Reindl Harald wrote:

> most users enable checkboxes which are needed to get random forms
> submitted, even if they say "i agree to get mails from here and
> there" and are missing the context when that mails are coming later

You don't know me, so you can hardly claim a basis to lump me with "most
users".

I repeat (for the last time, I promise): I didn't subscribe to any
Belgian/Dutch list.  Not by enabling a checkbox, not otherwise.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

Re: Return Path (TM) whitelists

[Reindl Harald <h....@thelounge.net>]

Am 10.07.2015 um 16:34 schrieb Ian Zimmerman:
> On 2015-07-10 13:54 +0100, RW wrote:
>
>> I don't get any spam at all in the return-path lists.
>
>> ...
>
>> I don't doubt that there's some abuse, but I also find it hard to
>> believe that the accuracy of the return-path rules isn't dominated by
>> user behaviour.
>
> Can you specify "user behaviour" in more detail?  Are you saying it is
> something I (and the other posters with viewpoint similar to mine) did,
> or didn't do, that causes us to receive RP certified UCE?

it's simple:

most users enable checkboxes which are needed to get random forms 
submitted, even if they say "i agree to get mails from here and there" 
and are missing the context when that mails are coming later

Re: Return Path (TM) whitelists

[Ian Zimmerman <it...@buug.org>]

On 2015-07-10 13:54 +0100, RW wrote:

> I don't get any spam at all in the return-path lists.

> ...

> I don't doubt that there's some abuse, but I also find it hard to
> believe that the accuracy of the return-path rules isn't dominated by
> user behaviour.

Can you specify "user behaviour" in more detail?  Are you saying it is
something I (and the other posters with viewpoint similar to mine) did,
or didn't do, that causes us to receive RP certified UCE?

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

Re: Return Path (TM) whitelists

[RW <rw...@googlemail.com>]

On Thu, 9 Jul 2015 18:07:07 -0400
Dianne Skoll wrote:

> On Fri, 10 Jul 2015 07:58:39 +1000
> Noel Butler <no...@ausics.net> wrote:
> 
> > +1
> 
> I'll throw my +1 in on this also.  Almost by definition, the kinds of
> organizations who buy into these certifications to get their mail
> delivered are unlikely to be the kinds of organizations I want to
> hear from.

For me it's mostly reputable organizations including the BBC, eBay, my
ISP, my local supermarket and various companies I've bought things
from. 

I don't get any spam at all in the return-path lists.

> Just as SPF "pass" is a mild spam indicator nowadays, so is a "pass"
> on these kinds of certifications.

I don't doubt that there's some abuse, but I also find it hard to
believe that the accuracy of the return-path rules isn't dominated by
user behaviour.

I would suggest that people evaluate them themselves on a rational
basis.


On Fri, 10 Jul 2015 09:06:58 +0200
Matthias Leisi wrote:

> For the record, this is the reason why dnswl.org <http://dnswl.org/>
> does not charge for listings (and we don?t call it certification): it
> always leads to conflicts of interest.

The chief difference that makes is that people cut DNSWL a lot more
slack when it fails, and treat it less emotionally.

Whilst I don't get any spam in RP, I do get spam in DNSWL. The big
difference is that DNSWL has more hackable user accounts which in turn
means that DNSWL is more likely to let through serious fraud and
phishing spams when it does fail.

Re: Return Path (TM) whitelists

[Dianne Skoll <df...@roaringpenguin.com>]

On Fri, 10 Jul 2015 09:06:58 +0200
Matthias Leisi <ma...@leisi.net> wrote:

> For the record, this is the reason why dnswl.org <http://dnswl.org/>
> does not charge for listings (and we don’t call it certification): it
> always leads to conflicts of interest.

Yes, I trust dnswl.org.

What we need is a meta-reputation system that rates the reputation of
organizations that rate reputation. :)

Regards,

Dianne.

Re: Return Path (TM) whitelists

[Matthias Leisi <ma...@leisi.net>]

> Am 10.07.2015 um 00:07 schrieb Dianne Skoll <df...@roaringpenguin.com>:
> 
> On Fri, 10 Jul 2015 07:58:39 +1000
> Noel Butler <no...@ausics.net> wrote:
> 
>> +1
> 
> I'll throw my +1 in on this also.  Almost by definition, the kinds of
> organizations who buy into these certifications to get their mail

> delivered are unlikely to be the kinds of organizations I want to
> hear from.

For the record, this is the reason why dnswl.org <http://dnswl.org/> does not charge for listings (and we don’t call it certification): it always leads to conflicts of interest.


— Matthias, for the dnswl.org <http://dnswl.org/> project

Re: Return Path (TM) whitelists

[Dianne Skoll <df...@roaringpenguin.com>]

On Fri, 10 Jul 2015 07:58:39 +1000
Noel Butler <no...@ausics.net> wrote:

> +1

I'll throw my +1 in on this also.  Almost by definition, the kinds of
organizations who buy into these certifications to get their mail
delivered are unlikely to be the kinds of organizations I want to
hear from.

Just as SPF "pass" is a mild spam indicator nowadays, so is a "pass"
on these kinds of certifications.

Regards,

Dianne.

Re: Return Path (TM) whitelists

[Noel Butler <no...@ausics.net>]

 

On 10/07/2015 02:02, Ian Zimmerman wrote: 

> I just got in my inbox what I consider spam from the Belgian domain
> selling Japanese copiers & printers (you probably know which one). What
> made it pass through SA were RCVD_IN_RP_CERTIFIED and RCVD_IN_RP_SAFE.
> Together they account for a whopping -5 points - a poison antidote pill!
> Isn't that a bit excessive? In fact, since Return Path explicitly
> advertises itself as a service for marketers, and I _never_ knowingly
> subscribe to a marketing list, these scores should be (smallish)
> positive as far as I'm concerned.
> 
> Also, I'm unsure what membership in SAFE means, the Return Path website
> doesn't mention it prominently, as it does their certification program.

+1 

One of my colleagues subs to their mailouts, and I'm informed it's often
how to get around filtering, by using right keywords and blah blah blah
to get that successful inbox placement... 

(hint: we nuke all whitelists in SA anyway) 

Re: Return Path (TM) whitelists

[Greg Troxel <gd...@ir.bbn.com>]

Ian Zimmerman <it...@buug.org> writes:

> I just got in my inbox what I consider spam from the Belgian domain
> selling Japanese copiers & printers (you probably know which one).  What
> made it pass through SA were RCVD_IN_RP_CERTIFIED and RCVD_IN_RP_SAFE.
> Together they account for a whopping -5 points - a poison antidote pill!
> Isn't that a bit excessive?  In fact, since Return Path explicitly
> advertises itself as a service for marketers, and I _never_ knowingly
> subscribe to a marketing list, these scores should be (smallish)
> positive as far as I'm concerned.

I have repeatedly had problems with returnpath, getting spam from places
that they have "certified".   The notion of giving those rules a small
positive score is quite reasonable.

Generally, SA assigns scores based on a ham/spam corpus.  For rules that
aren't pay-to-play whitelists, this is totally reasonable.  For
whitelists that take money from senders that send spam, it isn't
reasonable.  So I have long held that SA should have a far more
stringest policy for negative scores for whitelists, in the case where
the whitelist is compensated for a listing.  Specifically, a duty to
delist when there is spam, far more transparency, and a listing policy
that is consistent with SA's definition of spam.

My most recent returnpath problem was from brewster, where someone I
don't know "invited" me.  I hold that any service that
permits/encourages uploading an entire address book and sending
"invitations" to the entire set is outright spam.  (Letting people type
in one email address at a time is light grey...)  I don't know what
actually happpened in this case - I did get a response back from my 2nd
complaint to returnpath, and there wasn't enough information to
determine exactly how the particular case falls.