https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8193
--- Comment #8 from Stefan <m...@g0v.org> --- (In reply to Bill Cole from comment #6) > (In reply to Stefan from comment #5) > > I have wasted a several hours of my time because of this problem, and I want > > to share what I discovered. > > > > In response to Benny, it turns out there is nothing wrong with the set-up of > > SpamAssassin on my server and no one was being "ignorant". > > Well, that's not exactly true. > > No one should be running SA in a configuration that violates the policies of > the 3rd-party services that it supports. I don't believe that is explicitly > stated in any documentation, as it is a fundamental rule: it should not need > stating. > > > It turns out that this is ENTIRELY INTENTIONAL BEHAVIOR by dnswl.org: > > > > https://www.dnswl.org/?p=120 > > > > Summary: Those who haven't paid (or haven't paid enough) eventually start > > receiving "whitelisted" for ALL queries. In other words, false positives > > for ALL spammers. > > The available solutions to dnswl.org providing you bogus information as a > direct consequence of your behavior all require you to behave differently. > You can either stop querying dnswl.org or treat them like any other > commercial service provider by paying their charges for your usage. > > > Not only that, dnswl.org does not make this at all clear on the main pages > > of its website. This took a lot of digging. They also hide their pricing > > behind a log-in. These are not the behaviors of a reputable or ethical > > organization. > > Yes, despite the .org domain they appear to be a commercial operation rather > than a charitable organization. You can expect any organization designed for > making money rather than to serve a charitable function to sometimes be less > kind than you would like. > > > I fail to understand why SpamAssassin doesn't warn users about this, why it > > finds this type of behavior acceptable coming from one of its partner > > services, and why it places a very high negative spam score of -5.0 on these > > false positives. > > You are overestimating the strength of the relationship between the > Spamassassin project and 3rd-party service providers. > > Personally, I was unaware of that policy, as it diverges from the widely > used best practice for DNS-based lists: using distinct DNS results for > policy violations. Knowing that they are doing so, I agree that we should > not have their lists enabled by default. I will be raising this question > with others in the community and the PMC. > > > At the very least, dnswl.org should simply be blocking non-paying users > > instead of returning false positives, so that SpamAssassin assigns a score > > of 0.0 instead of -5.0 (just like they do with the various blacklists that > > block queries). > > That's NOT what the others do. All of the SA "BLOCKED" rules match on > policy-specific replies. As that dnswl.org page notes, refusing queries is > not useful because it garners no attention from those being refused and > won't even be really visible to the worst offenders, those who refuse to > operate their own recursive DNS resolvers and instead use free public > resolvers. > > If I thought it would be welcomed in the community, I'd make all of the > "BLOCKED" rules score significant negative (i.e. hammy) scores so people > would fix their configsā¦ > > > Instead, SpamAssassin and dnswl.org work together to 'punish' web hosting > > WE DO NOT WORK "TOGETHER" WITH DNSWL IN ANY WAY. > > The 3rd-party services referenced in SA use the same free public mechanisms > that can be used by anyone without SA. We don't set their policies or > actively track changes. Changing defaults for such services is done on an > as-noticed as-needed basis without considering the preferences of the > operator of the 3rd-party service. > > Devising conspiracy theories to explain filters not doing the job you expect > them to do is not productive. Spam filters make mistakes by their nature, > and it requires no one nefariously working together to make you sad. Really. > > > > companies by deliberately poisoning their customers' spam filters. Punish > > the peasants to teach the king a lesson. > > Nothing in SA exists to punish SA users at any level or teach them any sort > of lesson as a consequence of unwise behavior. > > If you believe otherwise, I urge you to not use SA. No one should use what > they believe to be Fascist software. > > > My web hosting company's solution is: Set all dnswl.org-related scores to > > 0.0. At this point I can't argue about that; dnswl.org are making > > themselves irrelevant through their irresponsible behavior. > > All mail servers acting as public MXs should be running their own local > recursive DNS resolver, rather than relying on any sort of "upstream" > provider. This is a widely recognized best practice for many reasons, not > just the issue of one list operator engaging in hostile self-defense. > > Anyone using a free DNS-Based List (or other free service) as a part of > their commercial offerings needs to be aware that even with their own > resolvers, they are burdening the list operators and those who provide list > secondaries with their queries. It is your moral obligation to pay for > services that you rely upon according to the policies of the service > provider. If your query volume is higher than a lists's limits on free use, > you are ethically required to stop or to pay for it. > > Setting ALL DNSWL rules to zero is one way to assure that you don't get > bogus results from them, because you won't query them. Other ways include > (*in addition* to the baseline of using your own recursive resolvers) > staying below their limit for free use or paying them for more usage. Hi Bill, Thank you for responding. My web host may be penny-pinching or incompetent, I don't know. But this is no reason for dnswl.org to silently poison innocent users' spam detection systems and cause hours of frustration while they try to track this problem down. I posted in response to this bug report so that others don't waste half a day on this like I did. SpamAssassin should add a comment along the lines of "Your web host is acting irresponsibly so your spam scores may be inaccurate." Simple, honest, gets the job done, many users will complain to their web hosts, web hosts will be embarrassed into taking action. SpamAssassin currently includes the following text, literally, in the headers of every email it lets through due to dnswl.org's deliberately false positives (only the IP address varies): RBL: Sender listed at https://www.dnswl.org/, high trust [88.209.197.217 listed in list.dnswl.org] Read the words and compare them to reality: "Sender listed at https://www.dnswl.org/"; -- FALSE STATEMENT "high trust" -- FALSE STATEMENT "88.209.197.217 listed in list.dnswl.org" -- FALSE STATEMENT When someone states something categorically, knowing it is false, that's called a lie. Unfortunately, SpamAssassin does not help matters by applying a massive -5.0 point bonus to genuine spam messages because of this falsehood. And it's all done in complete silence, leaving users spammed and confused. No warnings, no explanations, anywhere. > You are overestimating the strength of the relationship between > the Spamassassin project and 3rd-party service providers. Surely SpamAssassin personnel are not so naive that they don't know what a major spam-fighting partner organization (dnswl.org) is doing, despite the fact that their query responses contribute a larger spam score (-5.0) than almost any other rule or organization? SpamCop gets only a +1.3 score, others even less. > That's NOT what the others do. All of the SA "BLOCKED" > rules match on policy-specific replies. All of the (many) "BLOCKED" rules that I have seen apply a score of 0.0, thereby having no overall effect. Applying -5.0 effectively turns "spam" into "probably not spam" most of the time. Massive difference. > refusing queries is not useful because it > garners no attention from those being refused Like I wrote, it's punishing the peasants to teach the king a lesson. It's unethical. If that's what these organizations choose to be, that's up to them, nothing I can do except bring it to the public's attention. > If I thought it would be welcomed in the community, > I'd make all of the "BLOCKED" rules score significant negative > (i.e. hammy) scores so people would fix their configs I agree 100%. Make them all -5.0 so that any web host who offers SA but doesn't pay its way learns quickly. Add in a message "Your web host is a freeloader so this score is inaccurate" and you'd be close to divine perfection. The point is, an explanation needs to be included for any unexpected behavior. What we have at the moment is a "roll the dice" situation where the spam scores may or may not be accurate, users are unaware of this, and no one can know for sure without extensive investigation. > WE DO NOT WORK "TOGETHER" WITH DNSWL IN ANY WAY. OK, let's change that to "Effectively work together, whether knowingly or not". SpamAssassin queries the dnswl.org database, echoes their responses without question, then massively adjusts spam scores based on their output regardless of whether it's true or false. > We don't set their policies or actively track changes. Again, I find it extremely hard to believe that every single person involved with SA was unaware that at least one major organization that they utilize is deliberately poisoning results in order to receive payment. > Changing defaults for such services is done on > an as-noticed as-needed basis If SpamAssassin has now noticed this problem, my work here is done. > Devising conspiracy theories to explain filters not > doing the job you expect them to do I've presented the facts, easily accessible by anyone. Peddling conspiracy theories? I think not. You yourself pointed out: - DNSWL are a commercial operation doing business as a .org - You were unaware of their "make the customer pay by poisoning results" policy - "it diverges from the widely used best practice for DNS-based lists" - "we should not have their lists enabled by default" - one list operator [DNSWL] is engaged in "hostile self-defense" > Nothing in SA exists to punish SA users at any level > or teach them any sort of lesson as a consequence > of unwise behavior. I was not referring to SA, I was referring to DNSWL. SA would be guilty only if it was aware of this and did nothing. Again, I must say that I find it EXTREMELY hard to believe that some nobody end user (myself) who is not an expert in servers, Linux, Apache, email, spam, hosting, DNS (recursive or not), whitelisting, or blacklisting, and knows absolutely nothing about the internals of SA, would discover and highlight a problem such as this before any of the many experts who presumably develop and operate SA daily. (Do I qualify for a bug bounty?) > If you believe otherwise, I urge you to not use SA. > No one should use what they believe to be Fascist software. Indeed, switching off SA is an easy option. But if you prefer to suggest we do that rather than putting your house in order, that paints a rather sad picture of the culture within SA, does it not? > It is your moral obligation to pay for services that you > rely upon according to the policies of the service provider. > If your query volume is higher than a lists's limits on free use, > you are ethically required to stop or to pay for it. I agree 100%. I have just berated my web host and asked them what is going on; they are taking longer than usual to respond. They need to either stop offering SA to their users, or warn them of inaccuracy, or pay their dues. And SpamAssassin users deserve full transparency from all involved. -- You are receiving this mail because: You are the assignee for the bug.
