Why I think that DNS whitelists are going to fail

January 27, 2007

There's been a recent fad for DNS whitelists, the rough inverse of DNS blacklists; instead of listing claimed bad sources of email, they list claimed good sources. I've been thinking about this for a while, and I believe that such DNS whitelists are going to fail.

Why I believe DNS whitelists are doomed can be summed up in a simple question: do you whitelist Hotmail or not? If you whitelist Hotmail, you are whitelisting a known source of a not insignificant amount of spam. If you don't whitelist Hotmail, you are not whitelisting a place that sends a lot of legitimate email that's wanted by the people it's sent to. Either answer damages your DNS whitelist.

The fundamental issue is that there is no nice binary spam/no spam dividing line for hosts; instead it is more like:

  1. sends no spam
  2. sends spam but only as part of forwarding email in general
  3. originates some spam along with legitimate email
  4. originates too much spam (to the limiting point of not originating any legitimate email).

(Hotmail, Yahoo, Google Mail, and so on are #3s. Places that forward mail (whether directly for users or by running mailing lists) are sooner or later #2s.)

Among other issues, where do you draw the line between #3 and #4 and decide to (not) list someone? I don't think there are any objective criteria, so it comes down to 'too big to not whitelist', and sooner or later you (the list operator) and I (the list user) are going to disagree about that.

(You can take the intellectually pure path and only list #1, but then what's the point? Most of the interesting places we get email from are going to fall into #2 and #3.)

Comments on this page:

From 193.134.170.35 at 2007-01-29 05:55:34:

Disclosure: I am responsible for the dnswl.org project, a collaborative DNS whitelisting effort (http://www.dnswl.org/).

Not all e-mail servers are equally "good", but even Yahoo and Hotmail servers still emit a considerable number of non-spam e-mails.

In order to cope with this different "trustworthiness", the dnswl.org project uses different levels ("none", "low", "med", "hi"). With this, each admin can apply dnswl.org data according to his or her local policy.

The suggested use is: bypass outright blocking and greylisting for all levels; use "low" to "hi" for positive scoring (in SpamAssassin terms, eg -1, -2 and -4 points); possibly bypass spamfiltering completely for "med" and/or "hi".

Regards, -- Matthias (matthias/at/leisi.net)

By cks at 2007-01-30 17:30:43:

I don't think that using a DNS whitelist to even bypass outright blocking is necessarily the right decision. For example, Spamhaus recently listed several wanadoo.co.uk mail machines for 'emitting far too much advanced fee fraud spam', while dnswl.org also listed those machines (at the 'none' level), since they send some actual non-spam email. Does one really want to bypass Spamhaus's opinion in this case? I suspect that for many people the answer is 'hell no'.

One way to put it is that I'm not sure that DNS whitelists are answering a useful question, especially at the low end. 'Emits some non-spam email' is not necessarily a reason to not block someone.

Written on 27 January 2007.
« First impressions of pyOpenSSL
Weekly spam summary on January 27th, 2007 »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sat Jan 27 22:27:59 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.