On 4/1/2011 6:42 AM, Neil Schwartzman wrote:
Beyond that, ongoing qualification & compliance are big deals when running a
whitelist. I ran Return Path's for four years, and everyday was some new
issue, be it a good sender gone bad, or a compromised machine, or an argument
with a bad sender who wanted to tell me his business plan.
Not for the faint-of-heart, nor the sane. I've said the same thing repeatedly
to others who have thought of starting a whitelist: don't.
Darxus,
I'll add three things to what Neil said:
(1) grey-hat and black-hat ESPs would love nothing more than to
distribute to you a high quality feed of indisputable ham... and then
slip in some of their own messages to ensure that they and their clients
get whitelisted.
(2) AND... even with legitimate "good faith" data fees... I've examined
the whitelisting data of a prominent DNSBL, where their whitelist (that
they use to prevent FPs) was fully automated and involved minimal human
intervention. What I found was that SOME snowshoe spammers were
frequently whitelisted during that time period when the spammer had not
/yet/ built up enough bad reputation to get blocked by many (or any)
blacklists. The problem here is that by the time the snowshoe spammer
has finally gotten blacklisted by some DNSBLs, he is /already/ in that
whitelist and anyone using such an automated whitelist is going to then
give that snowshoe spammer a free pass. This is one of the greatest
dangers with automated whitelists. Yes... you'll find that this only
makes up something like .0001% of all whitelisted IPs... AND you'll find
that this applies to something like .0001% of a typical incoming mail
stream. HOWEVER-- because snowshoe spam is amongst the most difficult to
catch (compared to things like botnet-spams sent from infected
workstations).... it makes up a disproportionally large percentage of
the spam that makes it into people's inboxes. Therefore, it is entirely
possible for such False Negatives to /appear/ to be too few to be
consequential... but, in reality, to cause a dramatic shift in the
number of spams that make into recipients' inboxes.
(3) Also, calling it a "whitelist" is going to be problematic if any of
my warnings materialize. Why? Because the very label "whitelist" implies
that you are putting your "stamp of approval" on such mail. Therefore,
you may want to brand this as some kind of "reputation" list rather than
a "whitelist". (regardless of my opinion... you are probably going to
find that many will consider the label "whitelist" as you personally
vouching for the sender.) Otherwise, if/ your automated lists start
"vouching" for snowshoe spammers, you'll might then be accused of
"harboring spammers" or being in business with the spammers. (again,
take this fwiw. I'm NOT accusing you of such. This is just a warning
about what others might say if your data gets polluted with the more
elusive spammers... such as snowshoe spammers, CAN-SPAM-compliant
spammers sending to high quality purchased or rented lists, etc)
(hope this helps...)
--
Rob McEwen
http://dnsbl.invaluement.com/
rob(_at_)invaluement(_dot_)com
+1 (478) 475-9032
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg