Why you probably want to disable allow lists in your SPAM filters

They have a quite substantial impact on the score

I recently noticed a quite massive spike in SPAM. A lot of it got through the filter and almost all of it was obvious SPAM that came from the same domains. About two dozen in total.

So my first guess was a problem with the filter configuration because these emails didn't even make it to the point where a SPAM score header was added, which is far away from actually being flagged as SPAM.

But there was nothing out of the ordinary. No recent changes, no nothing really. It just stopped working. So not understanding what's going on I lowered the score for which headers are added. Ironically to 0 at first and I was a bit confused that these emails still didn't even get a header entry. Considering that a lot of other mail now got a header, this meant that this totally obvious SPAM somehow ended up as particularly highly regarded by the system. So I lowered the score enough to get those headers and sure as fuck they all had a combined score under 0, which is quite low if we wouldn't be talking about stupid bulk SPAM.

The nice part about those headers is that you can also see who the culprit is. In this case a marketing whitelist, which offers sender certification, which is basically an allow list to separate SPAM from slightly less spammy but largely legit emails.

The deal is basically this: You get on their list, they check you, we don't block you. The last part however didn't quite seem to work as intended ...

The scheme looks somewhat acceptable on paper but has two major problems. For one there's the one doing the checking. But since this is their entire business model, I'm going to assume that this risk is not exactly huge. The much bigger problem is that reputable senders are specifically targeted for SPAM distribution. None of the domains in question looked like organic spammers, they all seemed to be somewhat legit and neither of them was in the advertisement business. Certainly not for the crap they were peddling. They were all very likely targets of a hostile takeover. The main issue here being that certified sender does not translate to competent sender.

Disabling the whitelist in question solved the problem immediately because the scores for those mails increased substantially without the large bonus from the list.

If you have a relatively small server (a few dozen to a maybe a few hundred)  I don't see a benefit from having these lists active. The potential negative impact on detection far outweighs the benefits and you don't have the volume to compensate locally. I'm relatively sure these reputable senders are removed from the list fairly quickly but these spammers are not playing the long game with a specific sender. So removing them only helps if they ran out of hosts. Eventually that might be the case but I'm not going to tolerate a spam flood for the sake of some badly crafted legit advertisement.

As an alternative to removing these lists entirely, you could play around with their impact on the score or substantially boost something else to finally get them. In either case you probably want to have a look at the score impact of those allow lists because they are pretty high for obvious reasons. These mails are supposed to be kosher, so giving them a very low score is a reasonable thing to do from their POV.