The Spamhaus Whitelist

Home / Blogs

The Spamhaus Whitelist

	By John Levine Author, Consultant & Speaker
	September 29, 2010 Views: 11,435 Comments: 2

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN [74% +3 extra months, from $2.99/month]

For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white, like this:

Spamhaus’ SBL and its other current lists identify mail from the inky black end, sources of mail so consistently unwanted that recipients can reject or discard it without even looking at it. The goal of the Spamhaus whitelist is to identify mail at the other end of the spectrum, sources of mail so consistently wanted that recipients can deliver it without looking at it. This leaves a large grey area in between of mail sources which are neither consistently wanted nor unwanted; this isn’t a magic bullet, and recipients will still have have to use other techniques to filter that.

Two categories of mail qualify for the Whitelist:

What we call mail from staff, mail sent by individuals who have are employees of or otherwise have a relationship with the operator of the mail system beyond being customers.
Transactions, mail directly related to a specific action by the recipient, or reporting the status of an account set up by the recipient. Typical examples would be order acknowledgements, and bank account statements.

There’s a lot of other wanted mail that doesn’t qualify. Mail sent for third parties, such as mail from ISPs’ customers doesn’t qualify, nor does any sort of mailing list or bulk mail, no matter how wonderfully opt-in.

The reason for these limits is quite practical—the risk of unwanted mail of these other kinds is significantly greater than for staff mail or transactions, and as anyone familiar with the e-mail business can confirm, it is impossible to tell by looking at mailing list mail whether the recipient asked for the mail, and frequently difficult to tell even with access to logs and business records. So we’re sticking to the kinds of mail that are highly wanted and easy to recognize.

For now, as we ramp up, anyone can use the whitelist (details here), but listings are by invitation only.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

No matter how wonderfully opt-in Alessandro Vesely – Oct 16, 2010 4:59 PM

Unfortunately, it seems not so straightforward to automatically determine whether a message is a transaction or from the staff. Does a local part of postmaster or info in the “From” header indicate that?

On the other hand, opt-in procedures could be strengthened quite easily by engaging some third party, such as the subscriber’s mailbox provider or a reputation tracker. Given that DKIM can provide a workable definition of message stream, complaints about unsolicited mail could be solved in a breeze. Whitelisting those who play correctly would reward and dignify their activity, consolidate the tools, and improve delivery. Would such white shine less?

# 1 Reply | Link | Report Problems

Does a local part of postmaster or John Levine – Oct 16, 2010 7:08 PM

Does a local part of postmaster or info in the “From” header indicate that?

No, of course not. If you could tell staff mail or transactions from spam with a mechanical test, you wouldn’t need a whitelist, you could just do perfect filtering.

We’re building a network of spamtraps and feedback loops to check compliance.

# 2 Reply | Link | Report Problems

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.