hey -- after the Jan 1 thing, I wrote up a blog post of my thoughts: http://taint.org/2010/01/04/003841a.html -- the key bit:
> Personally, I see a few lessons from this: > > - Obviously, I need to pay more attention. This is easier said than done > though, since SpamAssassin has nothing to do with my day job anymore; > it’s a spare-time thing nowadays, and that’s a rare resource, > unfortunately. :( But still, a chastening result, and I’m very sorry for > my part in this screwup. > > - We need more active committers on Apache SpamAssassin. If we’d had more > eyes, the fact that I’d forgotten to backport the fix might have been > spotted. we’re definitely in a better situation now in this regard than > we were 6 months ago, so that’s good. > > - IMO, this is a good demonstration of how too many simple rules are > risky; without careful vetting and moderation, it’s easy for a bad one to > slip past. Perhaps we need to move more towards a DNSBL/network-rule > driven approach, although this has its downsides too. Still thinking > about this. > > - It’d be good to fix the GA so that it wouldn’t assign such high points > to simple rules like this, without some indication that a human has > vetted them and believes them trustworthy. Thought it'd be worth posting here to see if these warrant discussion. ;) -- --j.
