Like many servers on the internet, my mailserver uses amavis (which by extension uses SpamAssassin).

Recently I started getting more and more false positives. First from senders I didn’t really care about, but then from support desks I have contacted and in fact family. Now, I understand that some people (family included) use free services on the web, and that that may lead to their email being thrown in the spam-bucket just because they use free webmail. But not in this case. The reason was some service at “validity.com” which is supposed to be free to use but limits mails to be checked to 1000 per a floating 15-day window. Sometimes (and especially around Christmas) I and my family receive a lot of mail, and a lot of it is actually spam. 1000 checks in 15 days is nothing in periods like these.

The service at validity.com can supposedly be used with a “free” account (they “only” want your IP addresses and email address, and those are not as free as you might think). But apart from that information being hidden in an error message (which in turn includes a URL with their website), and in addition to them pushing their paid service, the inclusion of such essentially non-free versions in the default configuration is very much a no-no. I’m running debian, not Windows where you have to expect such behaviour.

So please, if you maintain a package, never activate rate-limited or paid services in the default configuration, even if the service also claims to have a free tier. You don’t know how users of your package are using it, and this configuration makes it basically unusable.

That said, amavis has another problem - it’s 200k (about 5000 lines) of difficult to configure Perl code (the configuration is essentially a Perl script, or a collection of Perl scripts), and it is very, very difficult to maintain. So after posting this, I will immediately look for a replacement.