Mailing List Archive: SPF: Discuss

domain whitelists?

Index | Next | Previous | View Threaded

mengwong at pobox

Jun 13, 2007, 12:07 PM

Post #1 of 3 (2384 views)
Permalink

domain whitelists?

Hey everyone,

Can you name some domain whitelists, please?

Back when we were first coming up with SPF, one of the big objections
was "okay, so the spammers will just go and register lots of
throwaway domains and publish SPF records for those domains and then
what?"

Our answer to that objection was "yes, that is part of the plan, when
they do that, we will use domain whitelists and blacklists, I mean,
blocklists, to distinguish between the good domains and the bad
domains."

So now I am asking: Can anybody out there point me at some good
domain whitelists?

I have been quietly collecting all the DNSBLs, DNSWLs, RHSBLs,
RHSWLs, and URIBLs that I can find.

I have started with lists such as:
- websites that TrustE has certified
- websites that have gone through VeriSign's SSL certificate due
diligence checks
- domains from my personal addressbooks
- hostnames from the Fortune 2000
- trusted-forwarder.org
- dnswl.org
- URIBL's whitelist
- LashBack's whitelist
- Return Path Sender Score Certified

I have fed the above lists into http://www.karmasphere.com.
Karmasphere's job is to aggregate all the reputation sources out
there, and provide a single point of access to them. There are
experimental plugins available for Postfix, Exim, Sendmail, etc.

Now I am actively hunting for new domain blacklists and whitelists.
I am particularly keen to collect whitelists. SPF + domain
whitelisting is a great tool for helping fight false positives.

I am hungry for more.

If folks out there would like to contribute their own domain
whitelists, there's an upload-publishing interface available at the
Karmasphere website. Or you can just tell me the rsync or http
syndication URL, if one is available, and I can download it directly.

cheers
meng

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

william at elan

Jun 13, 2007, 12:40 PM

Post #2 of 3 (2306 views)
Permalink

Re: domain whitelists? [In reply to]

http://www.spamlinks.net/filter-bl.htm
and specifically
http://www.spamlinks.net/filter-dnsbl-lists.htm#whitelists
http://www.spamlinks.net/prevent-marketers.htm#products-trust

On Wed, 13 Jun 2007, Meng Weng Wong wrote:

> Hey everyone,
>
> Can you name some domain whitelists, please?
>
> Back when we were first coming up with SPF, one of the big objections was
> "okay, so the spammers will just go and register lots of throwaway
> domains and publish SPF records for those domains and then what?"
>
> Our answer to that objection was "yes, that is part of the plan, when
> they do that, we will use domain whitelists and blacklists, I mean,
> blocklists, to distinguish between the good domains and the bad domains."
>
> So now I am asking: Can anybody out there point me at some good domain
> whitelists?
>
> I have been quietly collecting all the DNSBLs, DNSWLs, RHSBLs, RHSWLs,
> and URIBLs that I can find.
>
> I have started with lists such as:
> - websites that TrustE has certified
> - websites that have gone through VeriSign's SSL certificate due
> diligence checks
> - domains from my personal addressbooks
> - hostnames from the Fortune 2000
> - trusted-forwarder.org
> - dnswl.org
> - URIBL's whitelist
> - LashBack's whitelist
> - Return Path Sender Score Certified
>
> I have fed the above lists into http://www.karmasphere.com.
> Karmasphere's job is to aggregate all the reputation sources out there,
> and provide a single point of access to them. There are experimental
> plugins available for Postfix, Exim, Sendmail, etc.
>
> Now I am actively hunting for new domain blacklists and whitelists. I am
> particularly keen to collect whitelists. SPF + domain whitelisting is a
> great tool for helping fight false positives.
>
> I am hungry for more.
>
> If folks out there would like to contribute their own domain whitelists,
> there's an upload-publishing interface available at the Karmasphere
> website. Or you can just tell me the rsync or http syndication URL, if
> one is available, and I can download it directly.
>
> cheers
> meng
>
>
>
>
> -------------------------------------------
> -----------------------------------------------------------------------
> Sender Policy Framework: http://www.openspf.org/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?list_id=735
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jun 13, 2007, 1:05 PM

Post #3 of 3 (2295 views)
Permalink

Re: domain whitelists? [In reply to]

On Wed, 13 Jun 2007, Meng Weng Wong wrote:

> Can you name some domain whitelists, please?
>
> Back when we were first coming up with SPF, one of the big objections
> was "okay, so the spammers will just go and register lots of
> throwaway domains and publish SPF records for those domains and then
> what?"
>
> Our answer to that objection was "yes, that is part of the plan, when
> they do that, we will use domain whitelists and blacklists, I mean,
> blocklists, to distinguish between the good domains and the bad
> domains."
>
> So now I am asking: Can anybody out there point me at some good
> domain whitelists?

Roll your own.

I use the GOSSiP reputation system via pygossip. This tracks the
reputation of domain:qual. For example, aol.com:Pass gets a separate
reputation from aol.com:Neutral (aol.com:Neutral is bad enough
to get unconditionally rejected). I also track GUESS and HELO for best
guess and HELO SPF. A gossip server aggregates reputation data from
multiple MTAs and other gossip servers. The end result is a header
field, e.g.:

2007Jun13 15:30:03 [6275] Received-SPF: SoftFail (mail.bmsi.com: transitioning domain of verizon.com does not designate 69.211.250.118 as permitted sender) client-ip=69.211.250.118; envelope-from="ibtfojjcbb [at] verizon"; helo=adsl-69-211-250-118.dsl.chcgil.ameritech.net; receiver=mail.bmsi.com; mechanism=~all; identity=mailfrom; x-helo-spf=none;
2007Jun13 15:30:03 [6275] X-GOSSiP: GSaN2WJQQBfg.iTN6j6z1A,-76,2
2007Jun13 15:30:03 [6275] REJECT: REPUTATION

The reputation of verizon.com:SoftFail is 100% spam, with a confidence of
2 out of 100. Confidence depends on total messages and time span. The
server log tells me the raw data:

2007Jun13 15:30:03 ham: 0, spam: 32
2007Jun13 15:30:03 ID verizon.com:softfail reputation: -76.159416,2.687894

The sender (unknown since the MFROM was clearly forged) sees:

550 5.7.1 Your domain has been sending mostly spam

The X-GOSSiP token is used for feedback concerning the message.

That gives me an 80Meg+ database of spam/ham ratio and time span for
lots of domain:qual pairs.

To get the ball rolling, I use a bayesian filter, and some absolute
blacklists and whitelists.

Absolute blacklists are easy to get: just create a "honeypot" mailbox.
All messages to the honeypot blacklist the sender and train the filter
as spam.

Absolution whitelists are harder, but I auto-whitelist recipients of
my users messages (after screening for zombie mail, vacation,
auto-notifications, etc). I also whitelist senders released from quarantine.

Notice that users don't do anything except occasionally check the quarantine.

The weak points of the system are mailing lists and auto-whitelist. Mailing
lists suggest that you "add our address to your addressbook" assuming similar
auto-whitelisting for Windows. Worse, they often use an MFROM that
is unrelated to the "address" they suggest whitelisting (which is
apparently some unspecified rfc2822 header field). You don't
know until the first message arrives where they will send it from.
IMO, such mailing lists are braindead, but they are legit in the sense
of opt-in confirmed subscription.

It would be nice to have a way to authenticate the From mail header.
I am not aware of any protocol that does that yet. (Sender-ID provides a
very nice way to authenticate the Resent-Sender mail header, and DKIM
doesn't have sender policies ready yet.)

Auto-whitelisted senders can of course turn into zombies. The auto
entries are kept 90 days and then discarded.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads