[Greylist-users] Central whitelist database

[Scott Nelson]

At 04:55 PM 6/26/03 +0200, Eirik Oeverby wrote:
>Hi,
>
>On Tue, 24 Jun 2003 22:35:34 -0700
>Scott Nelson <scott at spamwolf.com> wrote:
>> It's unclear to me that there is a "burden" upon users, or that
>> if there is, that adding a fourth party to the email transaction
>> is any better.  
>
>As I stated in another reply to this thread, my biggest worry is the
>initial delay that a lot of users are going to experience. Cutting down
>on these delays (by having such a whitelist database accessible by all
>MTAs) is, atleast to me, a very important measure to make greylisting
>more user-friendly.
>

Start with an initial delay of 1 minute.  
After a few weeks, switch to 55 minutes.


>Ofcourse a combination of white- and blacklisting could be used, but I
>think the blacklisting part can be covered by existing RBLs etc.
>
>> That said, most of the same issues that apply to a blacklist
>> would apply to a whitelist.  The ones I can think of off hand;
>
>I'll give my views on some of them..
>
>> . What are the policies for being added?
>
>A submitter (becoming a subscriber/member/whatever with
>'submit' access should require submitting verifiable contact
>information) will submit the required information to identify a sending
>MTA (or whatever we choose to whitelist), it will go into a holding
>database, and after a sufficient number of other submitters submit the
>same information, it will be accepted into the 'live' database -
>together with references to the original submitter(s).
>
>> . What are the policies for being removed?
>
>A single complaint from any submitter (or perhaps from any
>subscriber) should be considered enough to have a record removed. This
>would make it possible for spammers to remove their adresses easily, but
>in my experience most hosts sending spam are dial-up hosts, and it's
>unlikely that the spammers will be able to 'predict' the IPs/hostnames
>of the machines doing their dirty-work early enough to abuse this to any
>significant degree.
>
>> . Is there an appeals process?
>
>The above should be enough of an appeals process IMHO. Ofcourse that
>might be because I haven't thought of anything else yet ;)
>
>> . Do I trust that those policies are being followed?
>
>PGP/GPG signed distribution of sourcecode for the software running on
>the servers, having only one software package capable of acting as
>master server, slave server/submitter, and simple 'dumb' subscriber
>node.
>
>> . Is the list operator in danger of being sued?
>>   (this is directly related to what the polices are.)
>
>Now that's a question that needs to be adressed. I am not a lawyer or
>anything even close, but I imagine that if the 'master' DB is in a
>country like Norway or Germany it shouldn't be a problem. In the US it
>might be a problem, and perhaps also other places. But a distributed
>network of slaves with no 'masters' among them would probably not be
>dangerous. Or maybe. Ask someone who might know.. :)
>

Many blacklists were sued into oblivion by spammers.
Note that it's not necessary for these suits to have merit.
Either the organization that runs the list need to be large enough
that a lawsuit can seriously threaten them, or they need to be
"judgement proof" in some way.


>> . How comprehensive is the list?
>
>I'm not sure I know what you mean here.
>

How many IPs does it list - what percentage of the existing 
mail servers is that?
This is relevant because making a trust decision for a list
can be a lot of work.  If the benefit of that work is that
1% of email isn't delayed the first time it appears, 
then I'm not gaining much for that work.

D. J. Bernstein estimates there are over 4 million mail servers.
For a greylist whitelist to be worth considering to me, 
it would either need to list a minimum of 100,000 IPs,
or it would need to be very special.  For example, I might
be interested in a list of "problem" mailing lists that use
some weird version of VERP, even if it was only a few dozen IPs.

For a "normal" whitelist, it would need at least 50% coverage 
for it to be interesting to me, 
but that's really a topic for a different discussion list.


>> . Would a DoS attack be possible?
>
>Not sure. I guess it's always possible. But try to find the other
>posting i made today about this, I am outlining in a bit more detail
>what I think would be a good technical solution. I don't really see the
>possibility of an effective DoS attack. Except perhaps if someone
>grabbed the complete list of servers and tried to DoS all of them
>simultaneously...
>

Now that I think about it, it's probably not an issue for a whitelist.
DoS a whitelist, and IPs that might have been trusted, aren't.
I don't see how a spammer could gain from that.


>> The major advantage I see with whitelisting vs. blacklisting
>> is that time to list, and time to report is far less critical.
>> For greylisting, updates and comprehensiveness are even less
>> important. If there was a "seed" list which I downloaded with the
>> software, I probably wouldn't need (or want to bother with) any
>> updates, ever.
>
>Good idea. Or atleast an initial download of the list upon installation
>or something.
>

The more I think about whitelisting IPs, the less I like it.
The owners of IPs change with time.  Viruses can turn a trusted
machine into an untrusted one in a eye blink.

Scott Nelson <scott at spamwolf.com>