Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel <br...@copperproductions.co.uk>]

On Tue, 05 Jan 2010 12:10:28 -0500
Greg Troxel <gd...@ir.bbn.com> wrote:

> 
> I've recently gotten multiple spams from linkedin.  (I don't consider
> invitations from people I dimly have heard of spam.)  These are
> typically invitations that are sent to mailinglists, and occasionally
> invitationos from people that I have never ever heard of.
> 
> I believe what is going on is that there is some way for people to
> upload an entire addressbook and then bulk-spam all those addresses
> with invitations.
> 
> The problem is that linkedin is getting adjusted scores due to
> 
>   RCVD_IN_DNSWL_MED
>   HABEAS_ACCREDITED_SOI
>   RCVD_IN_BSP_TRUSTED
> 
> Here is an example (I have the postgis mailinglist in
> trusted_networks):
> 
>   http://www.lexort.com/spam/spam-linkedin.out.txt
> 
> At least for my scores, the +2 points for HABEAS and BSP
> counterbalance the dnswl.
> 
> I have sent mail to abuse@linkedin.com, but have never gotten any
> response.
> 
> I complained to dnswl, and that got linkedin.com moved to MED from HI
> (thanks!), but I think MED is still excessive.
> 
> Once again I went to returnpath and senderscorecertified's web pages,
> and found no link to an email address to report being spammed by one
> of their customers.  Can anyone from returnpath explain why this
> glaring problem hasn't been fixed, or better yet fix it?  And also
> remove linkedin as a certified address, because they are spamming?
> 
> This is a general problem, more than linkedin - this has happened with
> twitter and faceboook as well.
> 
> The problem seems to have multiple related components:
> 
>   linkedin is a spam source because they off bulk inviting
> 
>   whitelists list them because some of their mail is legitimate
> 
>   SA gives negative points to whitelists where most of the hosts on
> the whitelist don't send spam, and those that do send some ham
> 
> Clearly some things that should happen are:
> 
>   dnswl should drop linkedin, because it doesn't meet "Extremely rare
>   spam occurrences, corrected promptly." because 1) this keeps
> happening because the structural problem has not been addressed and
> 2) there is no functioning abuse@.  I don't think linkedin belongs
> even in LOW, but it's fair to be in NONE (legit server, also sends
> spam).
> 
>   returnpath should drop linkedin, because they send spam and the
> mails I referenced above clearly do not meet any definition of opt in
> 
> But it's hard for SA to cause these changes.  dnswl clearly has value,
> and perhaps part of the difficulty is that it gets used for two
> reasons: not blocking connections or greylisting at the MTA level,
> and spam filtering.  It's certainly reasonable for linkedin to be in
> a "don't outright block" list, but not for it to get a pass from
> filtering given the spam that comes out of it.
> 
> Does anyone have any ideas of what else might help?


#ADD TO THE END OF local.cf at your own risk
score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
score HABEAS_CHECKED 0 0.2 0 0.2
score RCVD_IN_DNSWL_LOW 0 1 0 1
score RCVD_IN_DNSWL_MED 0 4 0 4
score RCVD_IN_DNSWL_HI 0 8 0 8
score RCVD_IN_IADB_VOUCHED 0 2.2 0 2.2
score RCVD_IN_IADB_DOPTIN 0 4 0 4
score RCVD_IN_IADB_ML_DOPTIN 0 6 0 6
score HASHCASH_20 0.500
score HASHCASH_21 0.700
score HASHCASH_22 1.000
score HASHCASH_23 2.000
score HASHCASH_24 3.000
score HASHCASH_25 4.000
score HASHCASH_HIGH 5.000

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[ram <ra...@netcore.co.in>]

On Tue, 2010-01-05 at 14:39 -0500, Bowie Bailey wrote:

> Christian Brel wrote:
> > On Tue, 05 Jan 2010 12:10:28 -0500
> > Greg Troxel <gd...@ir.bbn.com> wrote:
> >
> >   
> >>
> >> Does anyone have any ideas of what else might help?
> >>     
> >
> >
> > #ADD TO THE END OF local.cf at your own risk
> > score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
> > score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
> > score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
> > score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
> > score HABEAS_CHECKED 0 0.2 0 0.2
> > score RCVD_IN_DNSWL_LOW 0 1 0 1
> > score RCVD_IN_DNSWL_MED 0 4 0 4
> > score RCVD_IN_DNSWL_HI 0 8 0 8

                                                   ^^^^^^^^
Dont your SA-list mails go into spam  .. or do you whitelist them 

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[Bowie Bailey <Bo...@BUC.com>]

Christian Brel wrote:
> On Tue, 05 Jan 2010 12:10:28 -0500
> Greg Troxel <gd...@ir.bbn.com> wrote:
>
>   
>>
>> Does anyone have any ideas of what else might help?
>>     
>
>
> #ADD TO THE END OF local.cf at your own risk
> score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
> score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
> score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
> score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
> score HABEAS_CHECKED 0 0.2 0 0.2
> score RCVD_IN_DNSWL_LOW 0 1 0 1
> score RCVD_IN_DNSWL_MED 0 4 0 4
> score RCVD_IN_DNSWL_HI 0 8 0 8
> score RCVD_IN_IADB_VOUCHED 0 2.2 0 2.2
> score RCVD_IN_IADB_DOPTIN 0 4 0 4
> score RCVD_IN_IADB_ML_DOPTIN 0 6 0 6
> score HASHCASH_20 0.500
> score HASHCASH_21 0.700
> score HASHCASH_22 1.000
> score HASHCASH_23 2.000
> score HASHCASH_24 3.000
> score HASHCASH_25 4.000
> score HASHCASH_HIGH 5.000
>   

It should be pointed out that the result of this change is to give a
positive score to a bunch of whitelists (the opposite of their intended
use).  I'm not going to enter the argument over whether this is a good
idea or not, but just make sure you know what you are doing before you
blindly apply these score changes.

-- 
Bowie