Ability to disable challenges in BoxTrapper on a per account and server basis
More n more hosts are not enabling Box Trapper, sad, n uninformed, but....
Anyhow, what about a feature for CPanel that similar to Box Trapper that
has a White List, a Black List, and an expiring Que, everything Box Trapper has; just no Challenge
Response?
Such let's approved eMails through, deletes Black Listed eMails, and
holds the others for a time limit in case the owner of the inbox wants
to check if there may be anything important.
The benefit being that the owner of the inbox doesn't have to be
bothered with overwhelming spam, and doesn't have to deal with some spam
software arbitrarily deciding that a good email was spam. It gives the
owner of the inbox full and absolute control. A good feature for us
Geeks.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
What you're requesting sounds pretty much word for word what SpamAssassin with Spam Box provides.
http://documentation.cpanel.net/pages/viewpage.action?pageId=362709
The "Spam Box" then becomes this "Queue" that you've mentioned where any questionable mail gets delivered. Only whitelisted or mail scoring below your spam threshold gets delivered to your inbox. You can then whitelist or adjust accordingly to ensure mail that got into the "Spam Box" ends up in your inbox.
Since SpamAssassin w/SpamBox essentially meets your described needs and is already in the product, it is unlikely that we would invest time attempting to re-invent it. If there's an existing anti-spam product out there that you feel better meet your needs, definitely post a feature request for it and we'll look into it.
What you're requesting sounds pretty much word for word what SpamAssassin with Spam Box provides.
http://documentation.cpanel.net/pages/viewpage.action?pageId=362709
The "Spam Box" then becomes this "Queue" that you've mentioned where any questionable mail gets delivered. Only whitelisted or mail scoring below your spam threshold gets delivered to your inbox. You can then whitelist or adjust accordingly to ensure mail that got into the "Spam Box" ends up in your inbox.
Since SpamAssassin w/SpamBox essentially meets your described needs and is already in the product, it is unlikely that we would invest time attempting to re-invent it. If there's an existing anti-spam product out there that you feel better meet your needs, definitely post a feature request for it and we'll look into it.
What you're requesting sounds pretty much word for word what SpamAssassin with Spam Box provides.
http://documentation.cpanel.net/pages/viewpage.action?pageId=362709
The "Spam Box" then becomes this "Queue" that you've mentioned where any questionable mail gets delivered. Only whitelisted or mail scoring below your spam threshold gets delivered to your inbox. You can then whitelist or adjust accordingly to ensure mail that got into the "Spam Box" ends up in your inbox.
Since SpamAssassin w/SpamBox essentially meets your described needs and is already in the product, it is unlikely that we would invest time attempting to re-invent it. If there's an existing anti-spam product out there that you feel better meet your needs, definitely post a feature request for it and we'll look into it.
What you're requesting sounds pretty much word for word what SpamAssassin with Spam Box provides.
http://documentation.cpanel.net/pages/viewpage.action?pageId=362709
The "Spam Box" then becomes this "Queue" that you've mentioned where any questionable mail gets delivered. Only whitelisted or mail scoring below your spam threshold gets delivered to your inbox. You can then whitelist or adjust accordingly to ensure mail that got into the "Spam Box" ends up in your inbox.
Since SpamAssassin w/SpamBox essentially meets your described needs and is already in the product, it is unlikely that we would invest time attempting to re-invent it. If there's an existing anti-spam product out there that you feel better meet your needs, definitely post a feature request for it and we'll look into it.
Spam Assassin is Black List Priority, n highly likely to delete good emails, while letting Spam Assassin approved Mass Mail through. What I am talking about is White List priority, and absolute control by me, instead of some generic database.
Spam Assassin is Black List Priority, n highly likely to delete good emails, while letting Spam Assassin approved Mass Mail through. What I am talking about is White List priority, and absolute control by me, instead of some generic database.
I'm with bxy on his preference for BoxTrapper and his lamenting the hosting providers who disable it unnecessarily (and no, SpamAssassin absolutely does not do what he is asking for). But the problem is a multi-faceted one and the solution is not a new tool. Let me try to summarize all the points and their interactions:
1. BoxTrapper is a great whitelist manager (which is what bxy and I want it for) but this capability is little-known since it has been marketed as a challenge/response system, which doesn't work any more since almost all spam comes from fake senders so these challenge emails only add to network traffic and go nowhere or even end up going to some innocent bystander (a.k.a. backscatter).
2. The challenge/response part of BoxTrapper can be disabled by setting the verify message template to a blank file, but this is an undocumented workaround, is not the default, and few people think of doing this.
3. The combination of (1) and (2) leads many hosting companies to disable it (and they push SpamAssassin instead, which they understand better even though it's way more resource-intensive and doesn't handle whitelists well if at all--more on that later).
4. Many people (myself and bxy included) feel that it is absolutely unacceptable for any spam system to have a false positive *where the sender is a KNOWN good sender* (i.e., someone on a whitelist or on my contact list). A false positive is bad enough but when I know it is a good sender, it's just plain brain-dead to block it. There is a (patently fake) counter-argument to this assertion, to the effect that spammers can and do fake From addresses, hence whitelists are useless. But spammers *don't have my whitelist* and the chances that they will happen to use an entry on my whitelist are close to zero. To be more precise, I get perhaps 80,000 spams/year and I have about 4000 addresses on my whitelist. I get maybe ONE spam that gets through per year (~0.001%) this way and even that's usually because some contact had his mailer hijacked by some virus (which is of course quickly removed). And I would usually have about 100 good emails a year from known contacts that programs like SpamAssassin incorrect flag as spam (false positive), that a whitelist-priority system like BoxTrapper would handle correctly. THIS is what BoxTrapper does well and SpamAssassin doesn't.
5. SpamAssassin actually does have a whitelist mechanism of sorts but it's clearly an afterthought. The user interface to the whitelist feature is very poorly implemented in CPanel, to the point of making it virtually useless. You enter only up to 5 entries MANUALLY at a time (no import, no copy and paste of the entire file), and which point you get 5 more text boxes! And no way to export it back to move the whitelist to another system. You have to find the user_prefs file, figure out how to enter whitelists in it, do global edits to your whitelist, etc., and even then you'll likely encounter some undocumented limit on the number of whitelist entries that is way smaller than any reasonable maximum for a contact list. Compare this to all the well-thought-out whitelisting features of BoxTrapper including, for example, the ability to whitelist by association (all other email destination addresses on a whitelisted email will whitelisted too), auto-whitelist of sent email addressees (if sent via the SMTP server on the same host), etc.
6. It would seem that BoxTrapper as the first level of filtering (for whitelist control only, no challenge/response) followed by SpamAssassin for the rest would be a good solution but this doesn't work either because SpamAssassin is run FIRST at the MTA level and by the time BoxTrapper gets to see it, the damage has been done (i.e., false positives by SpamAssassin on email from known good senders) and BoxTrapper never even gets to see the email that it would have correctly whitelisted.
The solution? My humble proposal is the following:
1. EASY SOLUTION (CPanel can do it themselves and really quite painlessly with minimal development and using existing and proven tools):
- Disable challenge/response in BoxTrapper by default and add an explicit setting in the control panel to enable it (not the current undocumented blank file vs. non-blank file method). Enabling challenge/response should be clearly flagged in the user interface and other documentation as being deprecated owing to the possibility of backscatter (and a WHM option could even exist to prevent users from being able to re-enable challenge/response).
- Encourage hosting providers to keep BoxTrapper enabled pointing out the new version eliminates the backscatter problem and BoxTrapper should be viewed as a whitelist manager and not a challenge/response system. (Right now, BoxTrapper suffers from a perception problem that needs to be reversed once the challenge/response part is turned off or at least deprecated, so that a great and well-tested tool doesn't go unused for the wrong reasons.)
- Owing to the sequence of SpamAssassin needing to be run first and BoxTrapper later, the combination of both being active simultaneously is of limited use, but people at least have the choice of being whitelist-centric (like bxy and I and no doubt innumerable others would be) or heuristic-centric (for those who don't seem to mind the occasional lost good email)
2. DIFFICULT SOLUTION: Incorporate all the BoxTrapper whitelisting features into SpamAssassin (uphill battle since the people developing it don't seem to give sufficient importance to whitelists nor false positives). And it's development is not in CPanel's control. But if it is done, this would be the ideal solution. It would improve SpamAssassin's efficiency as well. Right now, a whitelisted entry in SpamAssassin merely gives a -100 score to the email (which pretty much means that nothing will make it seem a spam) *but it continues unnecessarily to do the dozens of other computationally more intensive tests as well*!! Do the whitelist test first and exit with a no-spam indication if it's on the whitelist! This would actually be a better technical solution, but it's less likely to get done. Of course, the CPanel interface would need to be improved as well, mostly to allow easy import and export of an entire whitelist file rather than the current not very useful one-at-a-time approach.
I'm with bxy on his preference for BoxTrapper and his lamenting the hosting providers who disable it unnecessarily (and no, SpamAssassin absolutely does not do what he is asking for). But the problem is a multi-faceted one and the solution is not a new tool. Let me try to summarize all the points and their interactions:
1. BoxTrapper is a great whitelist manager (which is what bxy and I want it for) but this capability is little-known since it has been marketed as a challenge/response system, which doesn't work any more since almost all spam comes from fake senders so these challenge emails only add to network traffic and go nowhere or even end up going to some innocent bystander (a.k.a. backscatter).
2. The challenge/response part of BoxTrapper can be disabled by setting the verify message template to a blank file, but this is an undocumented workaround, is not the default, and few people think of doing this.
3. The combination of (1) and (2) leads many hosting companies to disable it (and they push SpamAssassin instead, which they understand better even though it's way more resource-intensive and doesn't handle whitelists well if at all--more on that later).
4. Many people (myself and bxy included) feel that it is absolutely unacceptable for any spam system to have a false positive *where the sender is a KNOWN good sender* (i.e., someone on a whitelist or on my contact list). A false positive is bad enough but when I know it is a good sender, it's just plain brain-dead to block it. There is a (patently fake) counter-argument to this assertion, to the effect that spammers can and do fake From addresses, hence whitelists are useless. But spammers *don't have my whitelist* and the chances that they will happen to use an entry on my whitelist are close to zero. To be more precise, I get perhaps 80,000 spams/year and I have about 4000 addresses on my whitelist. I get maybe ONE spam that gets through per year (~0.001%) this way and even that's usually because some contact had his mailer hijacked by some virus (which is of course quickly removed). And I would usually have about 100 good emails a year from known contacts that programs like SpamAssassin incorrect flag as spam (false positive), that a whitelist-priority system like BoxTrapper would handle correctly. THIS is what BoxTrapper does well and SpamAssassin doesn't.
5. SpamAssassin actually does have a whitelist mechanism of sorts but it's clearly an afterthought. The user interface to the whitelist feature is very poorly implemented in CPanel, to the point of making it virtually useless. You enter only up to 5 entries MANUALLY at a time (no import, no copy and paste of the entire file), and which point you get 5 more text boxes! And no way to export it back to move the whitelist to another system. You have to find the user_prefs file, figure out how to enter whitelists in it, do global edits to your whitelist, etc., and even then you'll likely encounter some undocumented limit on the number of whitelist entries that is way smaller than any reasonable maximum for a contact list. Compare this to all the well-thought-out whitelisting features of BoxTrapper including, for example, the ability to whitelist by association (all other email destination addresses on a whitelisted email will whitelisted too), auto-whitelist of sent email addressees (if sent via the SMTP server on the same host), etc.
6. It would seem that BoxTrapper as the first level of filtering (for whitelist control only, no challenge/response) followed by SpamAssassin for the rest would be a good solution but this doesn't work either because SpamAssassin is run FIRST at the MTA level and by the time BoxTrapper gets to see it, the damage has been done (i.e., false positives by SpamAssassin on email from known good senders) and BoxTrapper never even gets to see the email that it would have correctly whitelisted.
The solution? My humble proposal is the following:
1. EASY SOLUTION (CPanel can do it themselves and really quite painlessly with minimal development and using existing and proven tools):
- Disable challenge/response in BoxTrapper by default and add an explicit setting in the control panel to enable it (not the current undocumented blank file vs. non-blank file method). Enabling challenge/response should be clearly flagged in the user interface and other documentation as being deprecated owing to the possibility of backscatter (and a WHM option could even exist to prevent users from being able to re-enable challenge/response).
- Encourage hosting providers to keep BoxTrapper enabled pointing out the new version eliminates the backscatter problem and BoxTrapper should be viewed as a whitelist manager and not a challenge/response system. (Right now, BoxTrapper suffers from a perception problem that needs to be reversed once the challenge/response part is turned off or at least deprecated, so that a great and well-tested tool doesn't go unused for the wrong reasons.)
- Owing to the sequence of SpamAssassin needing to be run first and BoxTrapper later, the combination of both being active simultaneously is of limited use, but people at least have the choice of being whitelist-centric (like bxy and I and no doubt innumerable others would be) or heuristic-centric (for those who don't seem to mind the occasional lost good email)
2. DIFFICULT SOLUTION: Incorporate all the BoxTrapper whitelisting features into SpamAssassin (uphill battle since the people developing it don't seem to give sufficient importance to whitelists nor false positives). And it's development is not in CPanel's control. But if it is done, this would be the ideal solution. It would improve SpamAssassin's efficiency as well. Right now, a whitelisted entry in SpamAssassin merely gives a -100 score to the email (which pretty much means that nothing will make it seem a spam) *but it continues unnecessarily to do the dozens of other computationally more intensive tests as well*!! Do the whitelist test first and exit with a no-spam indication if it's on the whitelist! This would actually be a better technical solution, but it's less likely to get done. Of course, the CPanel interface would need to be improved as well, mostly to allow easy import and export of an entire whitelist file rather than the current not very useful one-at-a-time approach.
Replies have been locked on this page!