Are Whitelists The Answer To Spam?

By Larry Seltzer  |  Posted 2003-03-27 Print this article Print

Maybe they're the only foolproof anti-spam technique, writes Security Supersite Editor Larry Seltzer. But maybe they're also an overreaction.

I had trouble recently sending e-mail to a relative of mine. At first I just assumed he was blowing me off, but eventually I found out he was using a whitelist: He defined a list of e-mail addresses from which he is willing to receive e-mail, and e-mail from all other senders is dropped.

People are trying everything to combat spam, and whitelists are one of the simplest and most effective. Theres an obvious problem with them, of course. As with my own example, you cant send mail to someone unless the recipient has put you on his or her list. How do you get them to put you on the list? Send an e-mail asking? Whoops, that wont work. Call them up? Well maybe, but the real point is that its an awkward situation.

On the other hand, whitelists are more reliable than many of the other techniques used by spam-blocking software. I know from testing these products myself that the heuristic analysis they perform is primitive; all of the products Ive ever looked at have allowed through perfectly obvious spam of the "ARE YOU BALD? GROW YOUR HAIR BACK!!" ilk. And I also know from personal, slightly embarrassing experience, that public blacklists make mistakes. One site I manage for a local community organization got on one of the blacklists because it shared a mail server with another site that had engaged in spamming. I contacted the blacklist organization and was told, although not in so many words, that they didnt care.

You can use whitelists halfway, too. In other words, you can use whitelists as part of a multiple-technique approach to spam blocking. Typically, whitelists are evaluated first, and all mail from users on them is let through. In this context, you know at least that there will be no false positives against users on the whitelist. Only mail from presumably less-familiar people is then subjected to other scrutiny.

There are also programs and services that act as whitelist managers, such as Choice-mail by DigiPortal. It doesnt just block unapproved senders; it sends them a form to fill out which, subject to your approval, adds them to the approved list. Matador from MailFrontier has similar capabilities, in addition to using other spam-blocking techniques. There are some technical problems with this approach. Some commercial e-mails that you might want to receive, such as purchase confirmations from an e-commerce vendor, might come from an unpredictable address (my EZPass statements come from, and the computer that sent it isnt going to fill out your form.

And beyond that, lets stop for a minute and think about this: Do you really want someone who sends you an e-mail to be presented with what is basically a guard at your door saying, "Show me your papers"? I think it could be very off-putting and will discourage a lot of people from bothering to contact you.

Maybe thats just me. I think its like never picking up your phone and using voicemail to filter your calls: Works for some people, I guess, but like everything else about spam fighting these days, it leaves me unimpressed.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel