Michael Peddemors wrote, On 18/6/08 4:48 PM:
Of course, not trying to start a flame war.. but that response isn't really formatted as a policy, or is it? Even that would be a start.
That's a good point, and maybe one of the more administrative oriented members of the PMC will weigh in. I'm personally more interested in software development questions rather than policy until it becomes time to debate and vote on an issue within the PMC.
However, I think SpamAssassin manages to avoid the hard questions that arise when you get to the grey areas. We have a strong bias against negatively scored rules (so-called 'nice' rules) because from a technical perspective it is very hard to have a nice rule that does not provide a loophole for a spammer to take advantage of. The def-whitelist is a case in point. We do not compile a list of 'good' companies that are exempt from the rules, as that would open up all the issues that you mention of how to police the list. The closest there is to that is the Habeas list, for which Habeas has all the headaches of making sure that the list stays clean, their reputation is on the line, and the entire rule can be pulled if Habeas doesn't continue to manage their list properly. The def whitelist consists only of domains that we have found don't generate actual spam, aren't likely to, and most importantly generate significant numbers of false positives if they are not whitelisted.
The primary criterion we use for all of our rules and methods is improvement in the measures of performance, which measure the ability to discriminate between spam and ham, minimizing false positives and false negatives. efax.com mail doesn't show up in our spam corpora and we don't get complaints about them being in the def whitelist. Or, rather, the few times we do, it turns out that the person is complaining about the third-party advertising that they send to people who have efax-Free accounts. That is double-opt-in confirmed, and so does not meet any accepted definition of spam.
But of course, (and we aren't talking about any one company here) a lot of companies make the claims that they conform to the above, and yet the same IP's are used to send email out under less than conforming circumstances..
I would not want the headache of maintaining a large white list of supposedly good companies. Our def whitelist is plenty big enough for me, and I am quite willing to see removed any company that either doesn't live up to its non-spammer categorization, or even any company that is no longer large enough or a source of a significant number of false positives.
I think the most important item you mentioned is double opt-in, which is an entirely different kettle of fish, unless of course they send this is 'Just to confirm you wish to get Daily Horoscopes', with a tiny link to terms of service which noone reads.. Or social engineering to get people to agree.
I just subscribed to eFax-Free to confirm the procedure. It is as I remembered from when once actually used the service. They really don't want people to use their free service, and make it difficult to find on their website. They clearly state the terms and require clicking on an activation link that is sent in a confirmation email. This is not a service that they push in any way, and in fact are quick to permanently suspend the free service if you receive more than 20 faxes in any month. They really want people to upgrade to the paid service, which does not include the third-party marketing email, and they have no problem with canceling the free service if you don't want that upgrade.
I don't think anyone on the SA team wants to start playing whack a mole with all the companies that can claim the same and that want preferential, (ie don't stop my mail) treatment..
I agree. I think that the way to avoid the whack-a-mole game is to not have a large general purpose whitelist, and we don't have one.
-- sidney
