Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/7/2013 10:37 PM, Rob McEwen wrote:

On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:

This is harming more then it does good. But its your list so your
rules ;) I would not want to use it to filter my mails with it but hey

Since this is in its early development, it is probably too early to
judge it too much. But from what I've read in this discussion, it is
light years away from the current major URI/domain blacklists out
there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin  is  brilliant so who
knows what it might eventually become?
Thanks. You're quite kind.  I've helped with some of the other lists but 
what I'm trying to focus on is tools and methods to identify spam and 
spammers.

ALSO...There is an argument that a more-aggressive-than-normal AND
low-scoring URI list may be helpful? In that sense, URIBL.com has
traditionally been considered slightly more aggressive than the other
lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive,
intended for very low scoring... would be useful? (this would be
situations where bayes or checksum content filters add points to the
spam score combined with such an aggressive URI list putting the message
over the top... but then skipping blocking a legit message with this
URI because it didn't have the other content points added and thus
didn't score high enough--at least that is the idea)

I think some aggression is needed because as DFS and others put it, they 
need an impetus to change their methods.  For example, we can't just 
allow companies carte-blanche to spam and give commissions to spammers 
but then claim they aren't spammers by just saying it's our 3rd party 
partners).


The good news is that cvent took notice of the blocking and contacted me 
offlist so I've removed their domains from the RBL while I discuss 
things with them in good faith towards improving their anti-spam procedures.


Regards,
KAM

Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/7/2013 7:53 PM, Martin Gregorie wrote:
If, on inspection, there is any reliable way to distinguish spam from 
ham in the stream coming from cvent, you could drop the RBL score down 
a lot (0.01 ?) and write a meta that blocks just the spam.
Perhaps but I do think there is some measure of a need for negative 
consequences for many firms to be reliable and conscientious netizens.  
I'm not out to get cvent but I do have some pretty hard evidence they 
have a spamming problem.  I'm very interested in what they say about it 
and I'm giving them the opportunity to explain.


regards,
KAM

Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/7/2013 7:38 PM, Alex wrote:

How would another RBL handle a company that I have personally received
evidence of spamming even if it causes FPs?
Apparently none of the other RBLs consider it spam.
Well then the RBL I'm envisioning might be different.  But my goal is to 
get framework done and a Proof of Concept and hand it over to the 
project so it could evolve.


I've asked the list a few times before about similar companies, such
as verticalresponse.com, which are also mass e-marketers, and I doubt
very much whether all recipients have signed up for their
newsletters or webinars.

There wasn't really any consensus on the list for this sender either.
I've left them off my blacklist for now, despite seeing messages
pertaining to hair care and gutter cleaning from their customers.
They're also not on any public blocklists.
I haven't seen any samples for them but I have some techniques I use 
with things like specific email addresses, etc. that make misuse very 
apparent.


I often see spams that appear to be database compromises because of 
this.  Just looking at a few days sampling, I can spot:


eWeek
Seagate
MotleyFool
Joomla Shack
Dropbox
DynDNS
Online Sports
Red Envelope
WhitePaperWizard
SecurePayNet/Wild West Domains

That's a 5 minute list and there could be explanations beyond database 
compromises.  But I'm sure people like DFS and those who use 
one-off/specific email addresses for vendors can tell you about when 
they see supposedly private information get out with no notification to 
those affected.


And I'm not listing the companies that I've contacted who have 
appropriately gone Oh Crap! and handled it professionally.  Some like 
SecurePayNet handled it very unprofessionally in my opinion wasting time 
of people like me just trying to help them realize they have a major 
security risk.  Lead a horse to water...

How many of those are now on the dbl or zen?
Spot checking URIBL_DBL shows some overlap but it's very minimal when 
the entries are added.  As the days go by, the overlap appears higher.  
I only have __RCVD_IN_ZEN so I don't have logging of subtests so I can't 
easily check overlap





I agree it has collateral damage.  You can explain to them that the emails
can be found marked as spam because the company running the events are
spammers is my main response.  And searching more about cvent.com just makes
me question their practices and others (such as
http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed
what I have seen which is harvesting of Whois data and spamming it.

Yeah, I saw that too. Their response to me would be to figure out a
way to only let their legitimate stuff through. I could probably also
make some noise to get a contact there through my customer, but it
would probably only lead to lip service. I'd never be able to get them
to switch providers, and as we've seen with verticalresponse, the
alternatives have issues too.
I am a bit jaded as well but I have a nice email from someone at cvent 
to go deal with so I'll keep my faith in humanity a bit longer.



I just figured that since it's immediately being dropped, perhaps
sending them a bounce would help to control the number you receive
from them, if not just firewall their block outright.
Or just let them know what they have to scrap out of their lists to hide 
the problem...


Yes, it's nice to stop spam but I'm reaching for a higher goal to stop 
spammers.




That's because you don't do business with them, so anything received
is unsolicited. In my case, corporate communications are actually
being blocked.
Conjecture that's untrue.  I blocked them noting the collateral damage 
but again, on our system, we do not block mail, we receive and it's 
tagged as spam allowing a user to manually intervene and get the email.  
We encourage them to contact the company to complain and/or switch to 
more reputable vendors.


Regards,
KAM

Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:
Apparently other RBL's care more about colleteral damage. I would not 
list this. You would not list microsoft.com neither if you accidently 
get a spam that you feel itnt appropriate. This is harming more then 
it does good. But its your list so your rules ;) I would not want to 
use it to filter my mails with it but hey ;)

Hi Raymond,

I'm not telling people to use the list to block and I'm admitting I have 
high scores which some might want to seriously dial down.


And I think I will have to consider the collateral damage and document 
it for those interested in the list.


But to answer the theoretical question, if I got multiple spams over a 
course of weeks from employees at Microsoft, I would consider blocking 
them because it can show a culture of spamminess.  Would I block gmail 
or their outlook service for the same reason, no.


But I continually have problems with Google Groups that are abused, 
especially in Arabic and damned if I can get anyone at Google to give a 
damn.  So if I thought blocking google groups might get some attention 
on the matter, I would consider it.  This follows the same reasoning.  
The emails I have are not from 3rd parties or customers of a system but 
from people working at the system itself.


regards,
KAM

Re: KAM pccc URIBL questions

[Martin Gregorie]

On Wed, 2013-10-09 at 13:18 -0400, Kevin A. McGrail wrote:
 On 10/7/2013 7:53 PM, Martin Gregorie wrote:
  If, on inspection, there is any reliable way to distinguish spam from 
  ham in the stream coming from cvent, you could drop the RBL score down 
  a lot (0.01 ?) and write a meta that blocks just the spam.
 Perhaps but I do think there is some measure of a need for negative 
 consequences for many firms to be reliable and conscientious netizens.  

I'm not disagreeing with you: it would be nice if the likes of cvent
would police their subscribers better, ideally by running subscriber
output streams through SA.

My suggestion was meant for the OP rather than generally was made on the
assumption that cvent was not going to listen to any criticism or police
its subscribers.

 I'm not out to get cvent but I do have some pretty hard evidence they 
 have a spamming problem.  I'm very interested in what they say about it 
 and I'm giving them the opportunity to explain.
 
A low-cost solution would be for their outgoing MTA to add a header to
tag outgoing messages with identify of the subscriber. This is
unforgeable since it would be added by the sending smarthost and would
make it easy to block spamming cvent subscribers with a meta-rule while
leaving other mail sources alone. It would also leave the definition of
a 'spammer' to the receiving MTA. This has benefits since some message
content is not universally regarded as spam.

Cheers,
Martin

Re: KAM pccc URIBL questions

[David F. Skoll]

On Wed, 09 Oct 2013 19:31:41 +0100
Martin Gregorie mar...@gregorie.org wrote:

 My suggestion was meant for the OP rather than generally was made on
 the assumption that cvent was not going to listen to any criticism or
 police its subscribers.

Surely a mailing list provider that does not police its subscribers
absolutely deserves to be blocked?

 A low-cost solution would be for their outgoing MTA to add a header to
 tag outgoing messages with identify of the subscriber.

Mailing list providers have no incentive to do this unless/until they
start getting blocked.  It's simple economics.

Regards,

David.

KAM's email to Cvent Re: KAM pccc URIBL questions

[Kevin A. McGrail]

Below is a copy of the email from Cvent and my response with some minor 
redaction so as to keep who I'm in discussion with private unless they 
want to take the discussion public.


regards,
KAM

Sorry for the delay on this response but I wanted to give it some 
serious attention especially as the chair of the SpamAssasin project.  
As part of that project, I have an onus to the foundation to maintain 
transparency and discuss this on the mailing list (See 
http://theapacheway.com/ for more about this.)  For now, I've cc'd the 
project management committee and will forward a copy of the email 
removing your name but welcome this discussion to continue on the User's 
forum for SpamAssassin.  I think if you can show you are working in good 
faith to fix the issues, you will see the anti-spam community rally 
behind you.


First off, I have removed your current RBL entry from the list in 
discussion based solely on the fact that you have reached out in good 
faith on a dialogue about the issue.  Thank you for taking the time to 
do that.  I look very much forward to your response and will keep an 
open mind.


Second, I will give you a portion of the evidence I have. However, to 
me, this is less about fixing specific issues of spam and instead fixing 
either the culture or architecture that is allowing this systemic abuse.


For example, I can see some abuse by one of your customers:

vette:Aug 21 10:51:40 2013 (15216) TheBoard post from 
webin...@crowdcompass.com held, 
message-id=0eb40c9d-3fbf-41e9-bba0-b6affc1a9af4-x...@cventinvite.com: 
Post by non-member to a members-only list
vette:Aug 28 10:53:36 2013 (15216) TheBoard post from 
webin...@crowdcompass.com held, 
message-id=4ca68d68-c5ad-4c87-a0a3-854f5afe38c8-x...@cventinvite.com: 
Post by non-member to a members-only list
vette:Sep 03 10:51:55 2013 (15216) TheBoard post from 
webin...@crowdcompass.com held, 
message-id=79c0efae-c209-492c-ac2d-48ada0b3bebd-x...@cventinvite.com: 
Post by non-member to a members-only list


This is something where sometimes your only recourse is canceling the 
customers account or limiting their email abilities.


However, I've also seen cases where companies have 'free trials' or poor 
credit card fraud procedures which lead to signing up for accounts they 
plan to run the wheels off.  In these cases, we need to see a systemic 
change in that procedure.


In other cases, we've seen companies blame everything on partners who 
receive commissions and therefore they aren't responsible for the 
activities of the partner.  Well from our perspective they are 
responsible.  We follow one definition of spam from Chris Santere which 
is Spam is about Consent not Content.  If the consent is there, it's 
not spam.  And I am a capitalist and believe things like someone 
purchasing from your firm is a de facto consent to send necessary 
documents (receipts, terms of service, follow-up pings, etc.) UNTIL that 
customer asks to be removed or you haven't contacted them in a 
protracted period of time.



Unfortunately, in the next two examples, I have received unsolicited 
emails from *Darrell Gehrt*purporting to be the Division Head, Web 
Surveys at your firm.  Checking linkedin and your firm's blog concur.  
And I also have unsolicited emails from *Meg Stensrud*purporting to be a 
Regional Sales Manager at your firm.  Again, linkedin appears to confirm 
this information and the latter is the one that appears to have used 
scraped whois data tied to an address where they have incorrectly tied 
me to springvalley law group.  Two example headers are available at 
http://pastebin.com/Q0knc6ei


Interestingly, http://washington.oneyellow.com/ID/1277768 shows 
springvalley law group at 5335 Wisconsin Ave NW , # 400, Washington, 
DC 20015 Local Phone: (202)895-1648 Fax: (202)966-6455.


That address USED to be Luse Lehman Gorman Pomerenk and Schick which I 
have been associated with in whois records but this shows scraping and 
cross-database use that points to a foundational issue and misuse of 
database mining in marketing campaigns at your firm.  I should also 
mention that email address hasn't been used actively in over 10 years 
which shows a very protracted length of time for legitimate business.


But perhaps you can defend this with some provenance on the email 
addresses.   But I'm sure you won't be able to show anything with 
Springvalley Law Group.  In the end, I won't be shocked at all if the 
best you can find out is you have some people in your marketing 
department doing some very shady marketing.


The real question is what you can do to fix the issue.   If we continue 
to see unwanted email, we may list them again.  We rely on your 
proactive monitoring of your customers (and 
employees/agents/contracts/etc.) to ensure that this won't happen; the 
onus should not be on us to report spam to you.


regards,
KAM




On 10/7/2013 2:45 PM, XXX wrote:


Hello Kevin McGrail,

Your posting today on the SpamAssassin users list was 

Re: KAM pccc URIBL questions

[David F. Skoll]

On Mon, 7 Oct 2013 19:38:38 -0400
Alex mysqlstud...@gmail.com wrote:

 I've asked the list a few times before about similar companies, such
 as verticalresponse.com, which are also mass e-marketers, and I doubt
 very much whether all recipients have signed up for their
 newsletters or webinars.

My preference is to list quasi-legitimate spammers as spammers or at the
very least as a mixed source.  Companies like verticalresponse.com
et al. have no economic incentive to curb spamming unless they are
threatened with a bad reputation.

I realize this may not go over well if you have customers who use the
service or want to receive mail from it, so a light hand is required.
We maintain an (IP-based) RBL and most of these quasi-legit spammers
end up on the mixed list, which is as the name implies: These IPs
are shady but not bad enough to block outright, so we add a couple of
points.

Regards,

David.

Re: KAM pccc URIBL questions

[Alex]

Hi,

 I've asked the list a few times before about similar companies, such
 as verticalresponse.com, which are also mass e-marketers, and I doubt
 very much whether all recipients have signed up for their
 newsletters or webinars.

 My preference is to list quasi-legitimate spammers as spammers or at the
 very least as a mixed source.  Companies like verticalresponse.com
 et al. have no economic incentive to curb spamming unless they are
 threatened with a bad reputation.

I've done that to some extent, and have been moderately successful. I
found it competes with some of the whitelists, ironically.

I'm assuming this is a service you offer, or would you be able to
share your list?

Thanks everyone for your help.

Thanks,
Alex

Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/6/2013 7:09 PM, Alex wrote:

I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
URIBL. Why is it designed to be a poison pill? It caught cvent.com,
causing a bunch of mail to FP.

I'm just curious if this URIBL is indeed this trustworthy, if these
KAM rules are still used, and how it is working for you?
I use those rules ;-) And currently that RBL is in testing stages where 
I am personally vetting all the data.  So I believe the trustability is 
quite high.  Please email if you have questions and we do look at them.


cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1.

I personally received the spam from them from what appears to be scraped 
whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.


So if cvent is legit, they are being abused by people sending spam and I 
consider them candidates for the list but I'm open to suggestions.


I then considered removing the entries but upon checking further, I 
found more spams from people who work at cvents.  And it appears they 
have scraped my association with a law firm by address in whois (5335 
wisconsin avenue) and tied me to Springvalley Law Group. Right address, 
wrong suite, wrong company, still never had permission to spam me. They 
are spammers and should be blocked.  If you are using them, consider 
taking your business elsewhere as they support spammers using their 
system AND they themselves send spam.


I am also positive but only from memory that they spam an NPO I work 
with as well all the time trying to get us to use their services.


I also might recommend you consider lowering the scores I am using. I 
often write poison pill rules that the project would never allow but 
they are based on careful analysis of my corpora.  YMMV and I'm open to 
feedback as I mentioned.  Just don't expect to always like my decisions.


Regards,
KAM

Re: KAM pccc URIBL questions

[Alex]

Hi Kevin,

 I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
 URIBL. Why is it designed to be a poison pill? It caught cvent.com,
 causing a bunch of mail to FP.

 I'm just curious if this URIBL is indeed this trustworthy, if these
 KAM rules are still used, and how it is working for you?

 I use those rules ;-) And currently that RBL is in testing stages where I am
 personally vetting all the data.  So I believe the trustability is quite
 high.  Please email if you have questions and we do look at them.

 cvent-munge.com was added on 9-24 and cventsurveys-munge.com added on 10-1.

How about just cvent.com? I've uploaded the headers from one FP here:

http://pastebin.com/UDuDcp4F

 I personally received the spam from them from what appears to be scraped
 whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.

 So if cvent is legit, they are being abused by people sending spam and I
 consider them candidates for the list but I'm open to suggestions.

They're a huge event planning company, but also apparently are email marketers.

Somehow I forgot this was your RBL. How many entries are on it? What's
your procedure for adding them?

 I also might recommend you consider lowering the scores I am using. I often
 write poison pill rules that the project would never allow but they are
 based on careful analysis of my corpora.  YMMV and I'm open to feedback as I
 mentioned.  Just don't expect to always like my decisions.

We had one user complain, and after investigating, realized there are
hundreds of messages in the quarantine from this sender. They mostly
appear to be just e-marketing crap, but there are a few where people
have actually planned events and missed their confirmation emails,
etc., so I can't just block them.

With a poison pill attitude towards them, wouldn't it just be better
to reject them outright?

Anyway, I'm hoping you could explain your RBL further, because I value
your expertise, and would like to take advantage of this, but will
probably have to adapt a bit for my environment.

Thanks buddy,
Alex

Re: KAM pccc URIBL questions

[Kevin A. McGrail]

On 10/7/2013 6:18 PM, Alex wrote:
How about just cvent.com? I've uploaded the headers from one FP here: 
http://pastebin.com/UDuDcp4F 
How would another RBL handle a company that I have personally received 
evidence of spamming even if it causes FPs?

I personally received the spam from them from what appears to be scraped
whois data: http://pastebin.com/Q0knc6ei has the headers for the two emails.

So if cvent is legit, they are being abused by people sending spam and I
consider them candidates for the list but I'm open to suggestions.

They're a huge event planning company, but also apparently are email marketers.
Agreed.  I see the duality issue.  I just don't know that I plan to give 
them any leniency.

Somehow I forgot this was your RBL. How many entries are on it?

Approximately 1700 for the past 30 days.

What's
your procedure for adding them?
Right now, very manual.  We are testing procedures that bring more 
automation to the research process.

I also might recommend you consider lowering the scores I am using. I often
write poison pill rules that the project would never allow but they are
based on careful analysis of my corpora.  YMMV and I'm open to feedback as I
mentioned.  Just don't expect to always like my decisions.

We had one user complain, and after investigating, realized there are
hundreds of messages in the quarantine from this sender. They mostly
appear to be just e-marketing crap, but there are a few where people
have actually planned events and missed their confirmation emails,
etc., so I can't just block them.
I agree it has collateral damage.  You can explain to them that the 
emails can be found marked as spam because the company running the 
events are spammers is my main response.  And searching more about 
cvent.com just makes me question their practices and others (such as 
http://www.pissedconsumer.com/reviews-by-company/cvent.html) have 
confirmed what I have seen which is harvesting of Whois data and 
spamming it.

With a poison pill attitude towards them, wouldn't it just be better
to reject them outright?

I don't use any RBLs for rejection, only for scoring.

Anyway, I'm hoping you could explain your RBL further, because I value
your expertise, and would like to take advantage of this, but will
probably have to adapt a bit for my environment.

Understood completely and the scores are there for you to override.

The RBL is built out of a manually-reviewed corpora of complaints that I 
cull together from users.  The scores reflect that it's seen and 
approved as being consistent with a spammer.  And cvent.com isn't a FP 
because I've personally review the corpora entry and it's not only 
scraped, they also added technology to try and make the scraping appear 
more personal but that technology introduced errors.  Whether they are 
buying lists or doing this internally, the emails I sampled did not come 
from partners but from people inside the firm.  As such I am only gather 
that they have a piss poor culture of spamming.


Regards,
KAM

Re: KAM pccc URIBL questions

[Alex]

Hi,

 How about just cvent.com? I've uploaded the headers from one FP here:
 http://pastebin.com/UDuDcp4F

 How would another RBL handle a company that I have personally received
 evidence of spamming even if it causes FPs?

Apparently none of the other RBLs consider it spam.

I've asked the list a few times before about similar companies, such
as verticalresponse.com, which are also mass e-marketers, and I doubt
very much whether all recipients have signed up for their
newsletters or webinars.

There wasn't really any consensus on the list for this sender either.
I've left them off my blacklist for now, despite seeing messages
pertaining to hair care and gutter cleaning from their customers.
They're also not on any public blocklists.

 Somehow I forgot this was your RBL. How many entries are on it?

 Approximately 1700 for the past 30 days.

How many of those are now on the dbl or zen?

 I agree it has collateral damage.  You can explain to them that the emails
 can be found marked as spam because the company running the events are
 spammers is my main response.  And searching more about cvent.com just makes
 me question their practices and others (such as
 http://www.pissedconsumer.com/reviews-by-company/cvent.html) have confirmed
 what I have seen which is harvesting of Whois data and spamming it.

Yeah, I saw that too. Their response to me would be to figure out a
way to only let their legitimate stuff through. I could probably also
make some noise to get a contact there through my customer, but it
would probably only lead to lip service. I'd never be able to get them
to switch providers, and as we've seen with verticalresponse, the
alternatives have issues too.

 With a poison pill attitude towards them, wouldn't it just be better
 to reject them outright?

 I don't use any RBLs for rejection, only for scoring.

I just figured that since it's immediately being dropped, perhaps
sending them a bounce would help to control the number you receive
from them, if not just firewall their block outright.

 The RBL is built out of a manually-reviewed corpora of complaints that I
 cull together from users.  The scores reflect that it's seen and approved as
 being consistent with a spammer.  And cvent.com isn't a FP because I've
 personally review the corpora entry and it's not only scraped, they also

That's because you don't do business with them, so anything received
is unsolicited. In my case, corporate communications are actually
being blocked.

I'm going to keep a closer eye on them, and manually inspect more of
their mail to figure out what to do next.

Thanks,
Alex

Re: KAM pccc URIBL questions

[Raymond Dijkxhoorn]

Hai!


How about just cvent.com? I've uploaded the headers from one FP here:
http://pastebin.com/UDuDcp4F



How would another RBL handle a company that I have personally received
evidence of spamming even if it causes FPs?



Apparently none of the other RBLs consider it spam.


Apparently other RBL's care more about colleteral damage. I would not list 
this. You would not list microsoft.com neither if you accidently get a 
spam that you feel itnt appropriate. This is harming more then it does 
good. But its your list so your rules ;) I would not want to use it to 
filter my mails with it but hey ;)



That's because you don't do business with them, so anything received
is unsolicited. In my case, corporate communications are actually
being blocked.

I'm going to keep a closer eye on them, and manually inspect more of
their mail to figure out what to do next.


That telling it all ...

Bye,
Raymond.

Re: KAM pccc URIBL questions

[Martin Gregorie]

On Mon, 2013-10-07 at 19:38 -0400, Alex wrote:

 There wasn't really any consensus on the list for this sender either.
 I've left them off my blacklist for now, despite seeing messages
 pertaining to hair care and gutter cleaning from their customers.
 They're also not on any public blocklists.
 
If, on inspection, there is any reliable way to distinguish spam from
ham in the stream coming from cvent, you could drop the RBL score down a
lot (0.01 ?) and write a meta that blocks just the spam.


Martin

Re: KAM pccc URIBL questions

[Rob McEwen]

On 10/7/2013 7:42 PM, Raymond Dijkxhoorn wrote:
 This is harming more then it does good. But its your list so your
 rules ;) I would not want to use it to filter my mails with it but hey

Since this is in its early development, it is probably too early to
judge it too much. But from what I've read in this discussion, it is
light years away from the current major URI/domain blacklists out
there (SURBL, URIBL, ivmURI, DBL)... BUT... Kevin  is  brilliant so who
knows what it might eventually become?

ALSO...There is an argument that a more-aggressive-than-normal AND
low-scoring URI list may be helpful? In that sense, URIBL.com has
traditionally been considered slightly more aggressive than the other
lists mentioned above... SLIGHTLY! Maybe something much MORE aggressive,
intended for very low scoring... would be useful? (this would be
situations where bayes or checksum content filters add points to the
spam score combined with such an aggressive URI list putting the message
over the top... but then skipping blocking a legit message with this
URI because it didn't have the other content points added and thus
didn't score high enough--at least that is the idea)

But I can't help but think that SOME reading this thread haven't even
tried/implemented even all the zero-cost options for the (already
matured) lists I mentioned (where applicable)?

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: KAM pccc URIBL questions

[Benny Pedersen]

Alex skrev den 2013-10-08 00:18:


http://pastebin.com/UDuDcp4F


in local.cf

def_whitelist_auth *@cvent.com

or in user-prefs whitelist_auth *@cvent.com

in case its ham, just not both

https://dmarcian.com/spf-survey/cvent.com
https://dmarcian.com/dmarc-inspector/cvent.com

KAM pccc URIBL questions

[Alex]

Hi guys,

I'm using Kevin's KAM_FROM_URIBL_PCCC rules for the multi.pccc.com
URIBL. Why is it designed to be a poison pill? It caught cvent.com,
causing a bunch of mail to FP.

I'm just curious if this URIBL is indeed this trustworthy, if these
KAM rules are still used, and how it is working for you?

header KAM_FROM_URIBL_PCCCeval:check_rbl_from_host('pccc',
'multi.pccc.com.', '127.0.0.4')
describe   KAM_FROM_URIBL_PCCCFrom address listed in PCCC URIBL
tflags KAM_FROM_URIBL_PCCCnet
score  KAM_FROM_URIBL_PCCC5.0
meta  __KAM_URIBL_PCCC  (KAM_BODY_URIBL_PCCC +
KAM_FROM_URIBL_PCCC + KAM_RCVD_URIBL_PCCC = 3)

Thanks,
Alex