ietf-asrg
[Top] [All Lists]

[Asrg] Whitelists, Blacklists, Greylists, and Challenge/Response

2003-04-26 13:43:44
  I do something that superficially resembles Challenge/Response, but I
think it's a lot better <g>.  First some definitions...

  1) Whitelist - a list of IP addresses, email addresses, rDNS,
whatever, from which I unconditionally accept email.  This is a small
portion of the internet.

  2) Blacklist - a list of IP addresses, email addresses, rDNS,
whatever, which I block at the smtp stage.  This is a small portion of
the internet.

  3) Greylist  - the vast majority of the internet that doesn't fall
into either 1) or 2) above.

  What many Challenge/Response systems do wrong...

  1) They function at the MUA stage.  Both the "From:" address, and the
"MAIL FROM" greeting can be forged by spammers.  This ends up
contributing to DDOS attacks on innocent 3rd-parties whose email
addresses are forged by spammers as the originating address.

  2) They challenge everybody who is not on a small whitelist, as a
matter of principle.

  How I handle things differently...

  - I use SMTP-stage blocking (i.e. during the SMTP transaction).  ISPs
that implement end-user-configurable filters at the SMTP transaction are
few and far between, but I've got an account at one.  Email that I don't
accept gets a 550 message back to the sending MTA, not a bounce message
to a possibly forged address.

  - The 550 message (with very few exceptions) contains "If yours was a
legitimate email, see http://..."; which points to a webpage of mine that
lists a temporary unfiltered email address that I create especially for
the purpose of bypassing my filters.  Most spammers don't read their
reject messages; in fact the ones who send via compromised/hijacked
3rd-party machines don't even see the reject message.

  - My philosphical difference with most Challenge/Response systems is
that I view C/R as a safety net for handling a small amount of
collateral damage (aka "false positives") from my blocklist rules,
whereas traditional C/R systems apply C/R to everyone who is not part of
a small whitelist.  In practice, that translates into me not blocking my
Greylist, i.e. the vast majority of the internet which I do not have
reason to believe to be a high spam-to-legitimate-email ratio.  My C/R
is only applied to areas from which I get a lot of spam.  Thus, I can do
aggressive blocking; people who want to get through to me still can; and
my use of C/R is very limited.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>