On the mail servers I manage we get thousands of spams every day. It's the same for every email server out there I guess, but there is something really different in France compared to other countries. In France the spam is actually legal and backed by the government. Yes a spam company can actually buy a database containing e-mails for non-profit organizations and companies from the INSEE public institute and then sell it again to its customers. The customers can then send spams to those email addresses, as long as they provide an opt-out unsubscribe link in the mail.

You can try and click on any number of opt-out links you wish, it doesn't change anything. At best you won't receive new spams from this specific announcer, but the spam provider often sells its database to hundreds of other announcers and will continue to relay spam through to you. When I actually tried to click as many opt-out links I could in a month, I actually got a huge increase of spam afterwards. It may seem incredible, but you can not trust those spam providers to actually stop sending spams. Weird. (Irony.)

There is a non-profit organization called "Signal Spam" which is supposed to fight spam, but a vast majority of its partners are actually spam providers like MailChimp or eCircle. Even the president of Signal Spam is the CEO of an « emailing » company called ExactTarget. I discuss the matter in details in this post about Signal Spam (in french). To this day Signal Spam doesn't seem committed at all to bring spam providers to justice or to lobby for a more protective law against spam.

About DKIM and SPF

A few years ago when I heard about SPF, and then about DKIM, I thought that would be a great idea to help fight spam. Now I can truly say that they are both very bad ideas. Even if they were actually working with real emails, which they don't, as they break most mailing lists and forwardings. But the worst is that out of the two thirds of emails my SMTP servers received who were using DKIM or SPF, more than half of those emails were actually spams.

Yes, spammers do use SPF and DKIM, and they do use them well. For this means that if an email does actually have a valid DKIM or passes the SPF test, there is more than a 50% chance that it is not a real email.

So when you are writing your spam filtering rules you should never trust that a message that passes the DKIM or SPF test is a legit email as it is often not the case.

The default rules for SpamAssassin for example are too not too optimistic if the mail passes the DKIM or SPF test, which is the right thing to do.

About whitelists

One thing that SpamAssassin didn't get right is that it trusts the whitelists. For example a valid DKIM domain which is in the SpamHaus Whitelist will get its spam score decreased by 3.5 points. That's a lot actually, as many spammers do manage to get listed in whitelists. One example is MailChimp, one of the largest spam provider out there, which is listed in ISIPP IADB.

As a result spams coming from MailChimp will get through your spam filter. What a shame.

I suggest to use those rules in your SpamAssassin local.cf file:

score DKIMDOMAIN_IN_DWL 0
score __RCVD_IN_DNSWL 0 
score __RCVD_IN_IADB 0
score RCVD_IN_RP_CERTIFIED 0
score RCVD_IN_RP_SAFE 0

This will disable the whitelists completely, so that no request is made to those servers. It will save you some bandwidth and CPU, as well as rejecting more spams.

To help block more spams I will soon release a new DNS blacklist server which will help to reject emails from MailChimp, eCircle, MailJet and other "legal" spam providers.