Wandering Thoughts archives


Why I think that DNS whitelists are going to fail

There's been a recent fad for DNS whitelists, the rough inverse of DNS blacklists; instead of listing claimed bad sources of email, they list claimed good sources. I've been thinking about this for a while, and I believe that such DNS whitelists are going to fail.

Why I believe DNS whitelists are doomed can be summed up in a simple question: do you whitelist Hotmail or not? If you whitelist Hotmail, you are whitelisting a known source of a not insignificant amount of spam. If you don't whitelist Hotmail, you are not whitelisting a place that sends a lot of legitimate email that's wanted by the people it's sent to. Either answer damages your DNS whitelist.

The fundamental issue is that there is no nice binary spam/no spam dividing line for hosts; instead it is more like:

  1. sends no spam
  2. sends spam but only as part of forwarding email in general
  3. originates some spam along with legitimate email
  4. originates too much spam (to the limiting point of not originating any legitimate email).

(Hotmail, Yahoo, Google Mail, and so on are #3s. Places that forward mail (whether directly for users or by running mailing lists) are sooner or later #2s.)

Among other issues, where do you draw the line between #3 and #4 and decide to (not) list someone? I don't think there are any objective criteria, so it comes down to 'too big to not whitelist', and sooner or later you (the list operator) and I (the list user) are going to disagree about that.

(You can take the intellectually pure path and only list #1, but then what's the point? Most of the interesting places we get email from are going to fall into #2 and #3.)

spam/DNSWhitelistProblem written at 22:27:59; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.