stuart at bmsi
Jun 13, 2007, 1:05 PM
Post #3 of 3
On Wed, 13 Jun 2007, Meng Weng Wong wrote:
> Can you name some domain whitelists, please?
> Back when we were first coming up with SPF, one of the big objections
> was "okay, so the spammers will just go and register lots of
> throwaway domains and publish SPF records for those domains and then
> Our answer to that objection was "yes, that is part of the plan, when
> they do that, we will use domain whitelists and blacklists, I mean,
> blocklists, to distinguish between the good domains and the bad
> So now I am asking: Can anybody out there point me at some good
> domain whitelists?
Roll your own.
I use the GOSSiP reputation system via pygossip. This tracks the
reputation of domain:qual. For example, aol.com:Pass gets a separate
reputation from aol.com:Neutral (aol.com:Neutral is bad enough
to get unconditionally rejected). I also track GUESS and HELO for best
guess and HELO SPF. A gossip server aggregates reputation data from
multiple MTAs and other gossip servers. The end result is a header
2007Jun13 15:30:03  Received-SPF: SoftFail (mail.bmsi.com: transitioning domain of verizon.com does not designate 22.214.171.124 as permitted sender) client-ip=126.96.36.199; envelope-from="ibtfojjcbb [at] verizon"; helo=adsl-69-211-250-118.dsl.chcgil.ameritech.net; receiver=mail.bmsi.com; mechanism=~all; identity=mailfrom; x-helo-spf=none;
2007Jun13 15:30:03  X-GOSSiP: GSaN2WJQQBfg.iTN6j6z1A,-76,2
2007Jun13 15:30:03  REJECT: REPUTATION
The reputation of verizon.com:SoftFail is 100% spam, with a confidence of
2 out of 100. Confidence depends on total messages and time span. The
server log tells me the raw data:
2007Jun13 15:30:03 ham: 0, spam: 32
2007Jun13 15:30:03 ID verizon.com:softfail reputation: -76.159416,2.687894
The sender (unknown since the MFROM was clearly forged) sees:
550 5.7.1 Your domain has been sending mostly spam
The X-GOSSiP token is used for feedback concerning the message.
That gives me an 80Meg+ database of spam/ham ratio and time span for
lots of domain:qual pairs.
To get the ball rolling, I use a bayesian filter, and some absolute
blacklists and whitelists.
Absolute blacklists are easy to get: just create a "honeypot" mailbox.
All messages to the honeypot blacklist the sender and train the filter
Absolution whitelists are harder, but I auto-whitelist recipients of
my users messages (after screening for zombie mail, vacation,
auto-notifications, etc). I also whitelist senders released from quarantine.
Notice that users don't do anything except occasionally check the quarantine.
The weak points of the system are mailing lists and auto-whitelist. Mailing
lists suggest that you "add our address to your addressbook" assuming similar
auto-whitelisting for Windows. Worse, they often use an MFROM that
is unrelated to the "address" they suggest whitelisting (which is
apparently some unspecified rfc2822 header field). You don't
know until the first message arrives where they will send it from.
IMO, such mailing lists are braindead, but they are legit in the sense
of opt-in confirmed subscription.
It would be nice to have a way to authenticate the From mail header.
I am not aware of any protocol that does that yet. (Sender-ID provides a
very nice way to authenticate the Resent-Sender mail header, and DKIM
doesn't have sender policies ready yet.)
Auto-whitelisted senders can of course turn into zombies. The auto
entries are kept 90 days and then discarded.
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com