How to whitelist well-managed mailing lists

Vernon Schryver vjs@calcite.rhyolite.com
Tue May 28 03:44:13 UTC 2002


> From: Gary Mills <mills@cc.UManitoba.CA>

> ...
> The mail would have to be identified in some way so that DCC could
> exempt it from being treated as spam.  The `identification' would, of
> course, have to be something that could not be forged by spammers.

Unless you run SMTP-AUTH, SMTP-TLS, PGP, SMIME, or similar, there is
nothing that the spammers cannot forge except the IP address of the SMTP
client.  White-listing by IP address has problems:

  - IP white list entries are hard keep right.  Many legitimate
   lists seem to be surprisingly transient or have only occasionally
   used sending systems.

  - host name white list entries require painful pauses by DCC clients
   to deal with slow or unresponsive DNS servers.  Dccm has an entire
   thread dedicated to waiting for slow DNS servers, but still things
   sometimes hiccup.  Many legitimate lists have surprisingly flakey
   DNS servers.

  - white-listing by IP address does not work for mail that has been
   forwarded, such as by a bastion SMTP server or a .forward file.

For all of those reasons, I've removed the host names from the sample
white list in the DCC source distribution.

There are fundamental reasons why it is impossible to hope for unforgeable
tokens of virtue for any mail from strangers, including bulk mail that
are related to the fact that SMTP-AUTH is not, could not, and will never
fix the spam problem.  You can't know whether a stranger is a spammer,
because if you knew that, you wouldn't be talking about a stranger.

However, those problems don't matter.  You don't need an unforgeable
mark, because forgery is so widely viewed as unacceptable and often
a crime.  Forgery would bypass almost all current or conceivable spam
defenses, but essentially no spammers are doing it.

You need only a list of legitimate mailing lists and their markers.


> It's not possible to identify all possible sources of spam, but it
> may be possible to identify all possible sources of legitimate bulk
> e-mail.  The magnitude would be much less.  Then, DCC would only need
> to reject or mark everything not identified as legitimate.

It is impossible to identify all possible source of legitimate bulk 
e-mail, because there are so many and they come and go.  Any one with
a UNIX box can start a legitimate mailing list. 

Worse, there is no single definition of "legitimate."  For example,
not long ago an article in new.admin.net-abuse.email mentioned some
mailing lists that the author valued.  In my view, several were
exceptionally bad and hopeless spammers.

However, that problem is also not fatal.  An "80% solution" would be
very valuable.  Those users who insist on receiving mail from spammers
or controversial sources can be accommodated with individual white
list entries.  Users with very unusual tastes in bulk mail may not
have their mail tagged as bulk because it is so unusual and can have
their lists sanctified if it is.


> What do you think of this suggestion?

I think you're looking at a lot of work.  However, trying can't do
any harm other than burning yourself out.  Even something far short
of an 80% solution could be quite valuable, and not just for the DCC
but for other spam defenses that uses white lists.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.