IP whitelist?

["Ryan L. Sun" <li...@gmail.com>]

Do you guys have any idea how to build up an effective and accurate IP
whitelist?
Since IP always cause false positive and I believe IP whitelist may be
a good idea.

Thanks.
-Ryan

Re: IP whitelist?

[Duncan Hill <sa...@nacnud.force9.co.uk>]

On Friday 13 May 2005 23:51, Ryan L. Sun wrote:
> If an incomming email is from a IP listed in IP whitelist, we don't
> need to check it at all.
> The whitelist I mentioned here is a large-scale one. Say Microsoft and
> Yahoo's IPs should be added to IP whitelist since we suppose they
> won't send spams.

Uhh.. no.  Yahoo IPs do send spam, when a lovely 419 scammer actually uses a 
real Yahoo account to send the scam.  It does get shut down fairly fast 
though.. sometimes.

The only way you'll get an accurate whitelist is to determine with sending 
servers you trust.  A greylisting engine -might- help you with this if you 
bent it enough.  Once you know you trust a sending server, somehow you need 
to tell your MTA to not feed that message to SA.  Alternately, feed it to SA 
anyway, but make an RBL out of the whitelist and do an rbl check that scores 
-ve points.

Then wait for that IP you trust to be misconfigured and turned into an open 
relay.... :>  Hopefully, even though you trust an IP to not send you spam, 
you don't trust it to not send you viruses.

Re: IP whitelist?

["Ryan L. Sun" <li...@gmail.com>]

If an incomming email is from a IP listed in IP whitelist, we don't
need to check it at all.
The whitelist I mentioned here is a large-scale one. Say Microsoft and
Yahoo's IPs should be added to IP whitelist since we suppose they
won't send spams.
Currently I am maintaining a RBL list, and hopefully the IP whitelist
will help to reduce false positive.

On 5/13/05, Matt Kettler <mk...@evi-inc.com> wrote:
> Ryan L. Sun wrote:
> > Do you guys have any idea how to build up an effective and accurate IP
> > whitelist?
> > Since IP always cause false positive and I believe IP whitelist may be
> > a good idea.
> >
> > Thanks.
> > -Ryan
> >
> 
> What do you use to call SA?
> 
> While the idea is good, any whitelisting at all done inside SA is nothing but a
> cheap hack. If at all possible with the tool you use, it's better to skip the
> call to SA in the first place than to try to do whitelist_from, or whitelist_ip.
> 
> You save CPU, no worries about bayes autolearning the wrong way, etc.
> 
> 
> At present the only "easy" way of doing an IP whitelist would be to write a
> header rule that's specific to the Received: headers generated by your MTA.
> 
> Another way would be to create your own RBL zone on your DNS server, and use
> SA's DNSBL features to query that zone and apply negative scores to the "good"
> IPs (much like RCVD_IN_BSP_TRUSTED does). This gets to be pretty advanced if
> you're not very well versed in DNS administration.
> 
> 
>

Re: IP whitelist?

[Matt Kettler <mk...@evi-inc.com>]

Ryan L. Sun wrote:
> Do you guys have any idea how to build up an effective and accurate IP
> whitelist?
> Since IP always cause false positive and I believe IP whitelist may be
> a good idea.
> 
> Thanks.
> -Ryan
> 

What do you use to call SA?

While the idea is good, any whitelisting at all done inside SA is nothing but a
cheap hack. If at all possible with the tool you use, it's better to skip the
call to SA in the first place than to try to do whitelist_from, or whitelist_ip.

You save CPU, no worries about bayes autolearning the wrong way, etc.


At present the only "easy" way of doing an IP whitelist would be to write a
header rule that's specific to the Received: headers generated by your MTA.

Another way would be to create your own RBL zone on your DNS server, and use
SA's DNSBL features to query that zone and apply negative scores to the "good"
IPs (much like RCVD_IN_BSP_TRUSTED does). This gets to be pretty advanced if
you're not very well versed in DNS administration.