>From: Rob McEwen <r...@invaluement.com> >Sent: Sunday, January 29, 2017 10:40 PM
>On 1/29/2017 7:42 PM, Dianne Skoll wrote: >> On Sat, 28 Jan 2017 16:33:24 +0000 >> David Jones <djo...@ena.com> wrote: >> >>> Read back through this thread. I never said their SPF record is >>> invalid. All I said is their SPF record is not common and it makes it >>> very hard for anyone to know what the official Yahoo outbound mail >>> servers are. >> >> Why is that important? Can't you just whitelist the domain yahoo.com if >> and only if it hits SPF "pass"? See next response below about the 2 different levels of MailScanner checks. Postfix postscreen is doing the majority of the DNSBL checks and is not integrated with SPF checks. It uses IPs or CIDRs. >> >>> We have to work very hard to get our MTAs to whitelist >>> them. It's in their own best interest to make this information >>> easily available to the Internet since so much spam comes out of >>> their platform. >> >> Then why would you whitelist them? >> Rob is correct below. I do not have a complete whitelist of Yahoo email. Maybe the confusion is due to how MailScanner works. As I also said in this thread previously, MailScanner is not directly tied to the MTA like amavis-new and others. I have to whitelist at the MTA level (Postfix/postscreen) to get past the first level of checks primarily DNSBL related. Then the second level is MailScanner with Spamassassin plus some other unique checks. My goal in whitelisting Yahoo servers is to make sure these messages get to MailScanner where they are not whitelisted and are scores based more on content by Spamassassin rather than sender reputation (DNSBLs). >Dianne, >I can't speak for David, but most or all of your answers don't apply to >my own anti-spam blacklist's attempt to try to avoid blacklisting Yahoo >IPs that are both known for sending much spam, but which also would have >a very high rate of collateral damage if blacklisted. (recognizing that >some very good DNSBLs, which are more aggressive, are more willing to >blacklist Yahoo IPs, and that isn't always a bad thing) Exactly. I would get too much collateral damage if I didn't whitelist Yahoo IPs from DNSBL checks. I have several dozen different DNSBLs combined to do a very good job of blocking the junk before it has to get to SA when you exclude Yahoo and other large hosting providers. The best RBL by far is the Invaluement RBL feed that Rob runs. Well worth the low price. It will save any sysadmin's time easily paying for itself many times over. >Also, when David said "whitelist", I can take an educated guess that he >isn't allowing Yahoo-sent messages free unfiltered access to the inbox - >he is probably just trying to avoid DNSBL checking of those particular >IPs - but then he'll probably STILL do other content filtering of those >messages. That would be my educated guess. And this would be a SMART >strategy. Yes. It does work well. Dave
