DNS Blacklist Policy Design

[Marc Perkel <ma...@perkel.com>]

I'm experimenting with my own DNS Blacklist and it's working and in 
testing right now. It's a list that is honeypot driven and only includes 
traps that only spammers fall for. However, I'm trying to make sure it 
never has a false positive. So - I'm looking for suggestions for best 
practices.

At the moment records expire 4 hours from the last spam. So it cleans 
itself up. It contains only IP addresses not listed on several other 
very popular lists like spamhaus and spamcop. I have about 21,000 hosts 
that it is currently blocking. And I'm returning a different code if 
they were listed just once or multiple times.

I have an idea that I'm going to try. I'm thinking about creating a DNS 
whitelist where hosts that send me ham are whitelisted for 4 hours. 
Whitelisting doesn't mean that they aren't going to get spam checked, 
but that the host can't be blacklisted while it's whitelisted.

The idea here is to prevent the blacklist from false positives. My 
theory is that true spammers never send ham from their spambots and 
would be unaffected. But if someone emailed a honeypot by accident and 
managed to get one of earthlink's email servers blacklisted, that would 
be a problem.

I'm also wondering about if anyone else has done any DNS whitelists of 
known good server or at least know servers that are good enough that 
they should never be blacklisted? Any thoughts on this?