First, large ISPs seem to be the origination point for a *lot* of spam. Second, here's my list of the domains we could potentially whitelist for SPF_PASS results (high count, good ratio, not biased towards open source folks).
0.0000 90 health.webmd.com 0.0000 27 foolsubs.com 0.0000 23 ms3.lga2.nytimes.com (list *.nytimes.com ?) 0.0000 17 match.com 0.0000 9 paypal.com For a different and even less biased approach, I took the listings with 0.01 or lower S/O ratio and ranked them by SenderBase volume (entries above 6.0 on the volume scale). Note that I just extracted registrar-level domain names from the SPF domain lists, so some of these are definitely not completely clean or are not immediately whitelistable. domain volume whitelist? -------------------- ------ ---------- ebay.com 7.5 yeah amazon.com 6.7 yeah speakeasy.net 6.6 paypal.com 6.6 yeah msn.com 6.6 roving.com 6.5 nytimes.com 6.5 yeah m0.net 6.5 classmates.com 6.5 exacttarget.com 6.4 sparklist.com 6.2 sourceforge.net 6.1 securityfocus.com 6.1 spamarrest.com 6.0 rm04.net 6.0 redhat.com 6.0 foolsubs.com 6.0 yeah bluehornet.com 6.0 So, based on all that, I'm thinking we could experimentally add SPF_PASS whitelists for: ebay.com amazon.com paypal.com nytimes.com foolsubs.com webmd.com match.com I checked NANAE and the above domans seem to be pretty clean and this jives with my recollection. -- Daniel Quinlan http://www.pathname.com/~quinlan/
