Are Whitelists The Answer To Spam?

Maybe they're the only foolproof anti-spam technique, writes Security Supersite Editor Larry Seltzer. But maybe they're also an overreaction.

I had trouble recently sending e-mail to a relative of mine. At first I just assumed he was blowing me off, but eventually I found out he was using a whitelist: He defined a list of e-mail addresses from which he is willing to receive e-mail, and e-mail from all other senders is dropped.

People are trying everything to combat spam, and whitelists are one of the simplest and most effective. Theres an obvious problem with them, of course. As with my own example, you cant send mail to someone unless the recipient has put you on his or her list. How do you get them to put you on the list? Send an e-mail asking? Whoops, that wont work. Call them up? Well maybe, but the real point is that its an awkward situation.

On the other hand, whitelists are more reliable than many of the other techniques used by spam-blocking software. I know from testing these products myself that the heuristic analysis they perform is primitive; all of the products Ive ever looked at have allowed through perfectly obvious spam of the "ARE YOU BALD? GROW YOUR HAIR BACK!!" ilk. And I also know from personal, slightly embarrassing experience, that public blacklists make mistakes. One site I manage for a local community organization got on one of the blacklists because it shared a mail server with another site that had engaged in spamming. I contacted the blacklist organization and was told, although not in so many words, that they didnt care.

You can use whitelists halfway, too. In other words, you can use whitelists as part of a multiple-technique approach to spam blocking. Typically, whitelists are evaluated first, and all mail from users on them is let through. In this context, you know at least that there will be no false positives against users on the whitelist. Only mail from presumably less-familiar people is then subjected to other scrutiny.

There are also programs and services that act as whitelist managers, such as Choice-mail by DigiPortal. It doesnt just block unapproved senders; it sends them a form to fill out which, subject to your approval, adds them to the approved list. Matador from MailFrontier has similar capabilities, in addition to using other spam-blocking techniques. There are some technical problems with this approach. Some commercial e-mails that you might want to receive, such as purchase confirmations from an e-commerce vendor, might come from an unpredictable address (my EZPass statements come from, and the computer that sent it isnt going to fill out your form.

And beyond that, lets stop for a minute and think about this: Do you really want someone who sends you an e-mail to be presented with what is basically a guard at your door saying, "Show me your papers"? I think it could be very off-putting and will discourage a lot of people from bothering to contact you.

Maybe thats just me. I think its like never picking up your phone and using voicemail to filter your calls: Works for some people, I guess, but like everything else about spam fighting these days, it leaves me unimpressed.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.