Hi, >>> whitelist_auth *@bounce.mail.salesforce.com >>> whitelist_auth *@sendgrid.net >>> whitelist_auth *@*.mcdlv.net >> >> >> I've seen enough spam sent through all three - both by way of whole >> apparently spammer-owned accounts and cracked-but-otherwise-legitimate >> accounts - that I would never blanket-whitelist whole bulk email providers. >> >> Legitimate mail sent through them generally gets through anyway IME. > > An alternative is to use "def_whitelist_auth" instead of "whitelist_auth" > That gives a -7.5 point bump to usually good sources which may occasionally > get abused. > > That way if one of their accounts gets p0wned your anti-phish rules have a > chance of pulling the junk into the spam-tagged range.
Phishing is a significant concern for us. Whether or not the phish came through the customer of one of these senders or through the senders themselves, whitelisting these senders only facilitates more phishes. There was a period when it was about one being reported by a particularly large customer per day. Telling my customers that we've contacted the provider and reported the spam just isn't good enough. We also received a phish through freshdesk.com which is on the def_whitelist. It's also on the DKIMWL_WL, subtracting another -3.5 points. It was also listed in RCVD_IN_HOSTKARMA_W, but also in LASHBACK_LASTEXT and invaluement, but not enough to compensate for the negative points. I suspect it was a compromised freshdesk trial account that was managed by amazonaws and sendgrid before passing through smtp.freshdesk.com, both of which weren't whitelisted at the time.
