From: John Leslie <john(_at_)jlc(_dot_)net>
...
This is where I must disagree. Whitelisting something as easily
forged as the From address is simply wrong -- and if it is published
rule, we're sure to see spammers forging whitelisted From addresses
as their standard operating practice.
As is true of many theories about what spammers do or will do, practice
differs from (simplistic) theory. In the real world, whitelisting by
sender works fine and is not abused often enough to matter. Whether
it works today because it is rarely used is a secondary issue good for
no more than trying to predict the future.
Yes, I know that spammers often forge source addresses. I get more
than my fair share of demands from lusers that I unsubscribe them from
this or that stream of porn or other offensive spam. Nevertheless,
such problems are trivial in this context.
That reasoning involves a second error common to IETF talk about spam
and mailing list noise. It is the academic pretense that all failures
are of equal gravity and completely unacceptable. In this case, the
failure mode that supposedly makes whitelisting by sender unacceptable
is merely leaking a little spam.
If, OTOH, Vernon would like to whitelist the combination of From
address and IP address of the sending SMTP server, that could be a
very worthwhile practice, virtually immune to spammer forging.
If you mean manual whitelisting, that sounds good in theory, but fails
in practice. I've experience with various sorts of whitelisting,
because the DCC depends on whitelists to distinguish solicited from
unsolicited bulk mail. Whitelisting by IP address fails in practice
because so much bulk mail comes from so many different and changing
SMTP clients. For an example at the small end of the spectrum of
bulk mail sources, I've had to regularly change the whitelisting
for IETF mailings. Bigger legitimate bulk mailer often have too
many SMTP clients for outsiders to count, not to mention manually
whitelist. You must find other ways to whitelist them.
However, whitelisting bulk mail by IP address is trivial compared to
whitelisting private mail by IP address. I use greylisting (see
http://www.dcc-servers.net/dcc/greylist.html ) which can be described
as automated whitelisting by the triple (sender,sender-IP-address,target).
It works well, but only because it is automated and it uses 4yz soft
failures. Many ISPs start sending a single message from one IP address
and switch to another after a few minutes--lather and repeat for up
to half a dozen different IP addresses for a single message. It would
be hopeless to try to manually whitelist the IP addresses used by
customers of such ISPs. The ISPs that do this sort of thing are among
the largest.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com