Much as I love SpamAssassin, it's not without its flaws. It relies partly on the SPEWS blacklist of known spammers, a blacklist that is managed with a great deal of caprice and dogma, but not a lot of sense, it seems. Howard sums up a recent thread of messages regarding SPEWS thus:
"Hi, we used to have a spam problems from our customers but we've cleaned up"
"You profited from spam! You go to hell, you go to hell and you die!"
"Hi, we are a law firm that bought from UUnet and it seems the last owners
of this IP block were spammer. We're not, can you please remove us.""Every heard of due diligence? Thats what you get for buying from UUNet,
you'll get unlisted when they clean up all their spammers.""Hi, we bought from some people who turned out to have a problem with
hosting some spammers, but we're locked into a 3 year contract. We're a
small shop without the money for lawyers to get out of it. We're not
spammers, could you please unblock this one piece of IP which is just us.""Sorry, you have to change providers. They breached your contract by
failing to provide full internet access (since people are filtering them
based on our listing)"
Of course, having your name on the SPEWS blacklist isn't sufficient to cause your message to be tagged as spam by SpamAssassin; SPEWS only counts for two point towards a required threshold of five before a message is tagged. Still it seems like these blacklists always devolve into thrashes about abuse of power. I really like the Vipul's Razor approach (which is also integrated into SpamAssassin). No person or group of coordinated actors has the power to blacklist someone; distributed reputation continually demotes and promotes spam-reporters based on accuracy. Lots of checks and balances.
(Thanks, Howard!)
