[Bug 6668] New: DNSWL is lacking a rule to communicate excessive use to users

[bugzilla-daemon]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6668

             Bug #: 6668
           Summary: DNSWL is lacking a rule to communicate excessive use
                    to users
           Product: Spamassassin
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: dar...@chaosreigns.com
    Classification: Unclassified


In bug #6220 it was discussed that Spam Eating Monkey has a way to trigger
SpamAssassin to intentionally cause false positives by returning a value of
127.0.0.255 in cases where people are abusing their service with excessive
load.

DNSWL.org has had this kind of problem recently, with some folks who have been
particularly difficult to contact about it, and has resorted to returning a
trust value of "HI" to all queries from the problematic users.

I'd like to provide DNSWL with a better option, to handle a return value of
127.*.*.255, and instead of hitting "RCVD_IN_DNSWL_HI", hit a rule that
explains that there is a problem with abusive levels of load on the DNSWL
servers.

How was that implemented for Spam Eating Monkey?  There doesn't seem to be a
rule to match *.255.


Should I create a rule like this?

score RCVD_IN_DNSWL_ABUSE -100 # I figure getting it noticed quick is best for
everybody?

##{ RCVD_IN_DNSWL_ABUSE ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header  RCVD_IN_DNSWL_ABUSE        eval:check_rbl_sub('dnswl-firsttrusted',
'^127\.0\.\d+\.255$')
describe RCVD_IN_DNSWL_ABUSE       You are using a DNS server that is placing
too high a load on the DNSWL.org DNS servers without a subscription, please see
https://subscription.dnswl.org/
tflags RCVD_IN_DNSWL_ABUSE         nice net
endif
##} RCVD_IN_DNSWL_ABUSE ifplugin Mail::SpamAssassin::Plugin::DNSEval


Returning _HI for everything is resulting in many false negatives for the
abusing users, and thinking about ideal scores for this kind of situation, I
think maybe a large negative score should be used for things like SEM as well,
because not filtering out spam is always a much better failure mode than
filtering too much as spam.

Also, I think it's really irresponsible for SpamAssassin to expose users to
this kind of punitive activity without actually warning them of the usage
thresholds of the services involved, as Warren lists here: 
http://www.spamtips.org/2011/01/usage-limits-of-spamassassin-network.html


The DNSWL folks who started making this use of _HI are probably not aware of
this option, and I just heard this was happening for the first time, so I'm
going to go point them to this bug now.  (For those who may be new, I'm a DNSWL
admin.)

-- 
Configure bugmail: 
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.