Chris-Linfoot.net

• Blacklist * - a list of hosts from which a site will never accept connections
  
• Whitelist ** - a list of hosts from which a site will always accept connections
  
• Greylist *** - a virtual (by virtue only of appearing in neither of the previous two lists) list of sites from which a site may or may not accept connections, depending on external factors (DNSBL listings, integrity of handshake)

Some stats (October 2003):

• During the month, this site accepted 18,224 emails from 2,761 unique hosts
  
• The IPv4 Internet contains a total of 4,294,967,296 hosts
  
• Unique hosts delivering email to this site during October 2003 comprised 0.0006% of the IPv4 Internet
  
• Total hosts delivering email to this site during October 2003 comprised 0.00042% of the IPv4 Internet
  
• A single class B (/16 CIDR block) contains 65,536 hosts or 0.00153% of the IPv4 Internet
• Our local blacklist * comprises approximately 20,000,000 hosts or 0.46566% of the IPv4 Internet

Let's make some assumptions:

• At our site, the total population of friendly hosts is no greater than a single class B network (if for the purposes of this exercise we reallocate IP addresses to them consecutively).
  
• Of these, I need to whitelist ** no more than a single class C network
  
• The existing blacklist * is 20% complete - the remaining 80% represents the annual churn rate in the blacklist, or 80,000,000 hosts
  
• The balance, 4,194,901,504 hosts are the greylist ***

There's an awful lot of grey and black, and not a whole lot of white. To be truly effective against abuse, considerably more of the gray needs to be black, but mixed up in it, there is some white.

Rhetorical question. Which is better? Should we spend time as we now do managing the blacklist (20-100 million hosts), with everything else being treated as grey and no whitelist? Or should we blacklist very aggressively and spend less time managing that, but instead spend time managing a whitelist (perhaps 256 hosts) in addition to it?

Which of these is less time consuming and more likely to deliver a reliable email service for bona fide users?

No. Don't answer that. I already know the answer.

Category: Whitelisting
Technorati: Whitelisting

1. Richard Schwartz07/11/2003 20:52:42
Homepage: http://smokey.rhs.com/web/blog/rhs.nsf

Chris, How are you implementing a white list?

-rich

2. Chris Linfoot08/11/2003 19:40:43

Currently I'm not. This is just another attempt by me to make the case that the Domino MTA should include a whitelist.

Raymond Neeves has made a Domino add-in which comes very close to providing the missing functionality and I may yet implement that, but would rather it was part of the core functionality shipped by Lotus

3. Stoomaroo10/11/2003 17:07:57

...a shot across the pond.

"Rhetorical question. Which is better? Should we spend time as we now do managing the blacklist (20-100 million hosts), with everything else being treated as grey and no whitelist? Or should we blacklist very aggressively and spend less time managing that, but instead spend time managing a whitelist (perhaps 256 hosts) in addition to it?"

I am not sure if it is a question of better or worse. No doubt a whitelisting feature would help enormously in eliminating false positives, and enable Admins to be much, much more aggressive with the blacklisting. However, many of the communications to companies (such as the one I am currently employed by) are often from 1-time, "relatively anonymous" sources, looking for public info, who we will never hear from again. Those users would probably not find themselves on my white-list (call them grey users).

So say IBM throws the white-listing feature into Domino tomorrow. Our jobs would be easier, yes I agree. However, I am unsure as to whether it will actually reduce our time managing the blacklists -- unless we blacklist everyone -- and the only allowed communication is from white-listed folks (which would potentially destroy the public information policy my company has to the public). I am arguing that we cannot expect to dramatically cut time on managing blacklists with the introduction of a whitelist. I see the ultimate purpose of the whitelist as protecting users from our blacklists...by which we will still need to manage the blacklists.

Have I missed the point on this one? (in which case my cannonball will fall harmlessly into the pond )
Stoo-ma-roo!

4. Stephen W04/03/2005 01:37:33

I've been watching for SPF checking to be made available on Domino, too! As for GreyLists, I've just read an article by Kirk Strauser in the Free Software Magazine, which includes how he's implemented dynamic greylists in the Postfix mail server. The short version is that his server responds with a "mailbox temporarily unavailable, please retry later" code to unknown mail hosts - and adds a timestamped record to the greylist. The server continues to reject for five minutes before accepting the SMTP connection. His theory is that most well-behaved servers will call back (I've seen Domino happily keep re-calling mail hosts), but that almost no special-purpose spam sending software will. Yet another wish-list item for Domino, I guess - like TeerGrubing.
Of course, an alternative to waiting for the feature in the MTA would be to implement something upstream from Domino that *does*. There are some promising projects listed at SourceForge, however I need to move my Domino server to a Linux server before I can try many of them out.

5. hernan ruggiano26/01/2007 19:43:30

I need to download this add in for domino but i cannot find a download link, could you provide me one please???

Thanx

Unable to post a comment? Please read this for a possible explanation...