hacking whitelists (was Re: [sa] RE: emailreg.org - tainted white list)

["J.D. Falk" <jd...@cybernothing.org>]

On Dec 14, 2009, at 1:35 PM, Charles Gregory wrote:

> I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking?
> I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy?

We're fairly certain the bad guys haven't been targeting whitelists (ours, or others) -- yet.  Occasionally some spam will come from a whitelisted IP after a server gets infected, but then that IP doesn't stay whitelisted for very long -- and there's no proof that the botnet operator had any idea the IP was whitelisted.

Besides, there's not all that much value for them.  When the big ISPs use whitelists like ours, they'll give IPs on the list a lot of leeway -- but not a free pass forever.  There are still volume limits (though higher than for non-whitelisted IPs), and they're still watching complaint rates.  If there's a problem, they'll let us know.

It's very similar to how SpamAssassin uses whitelists: enough points are subtracted to override /some/ spam rules, but not all.  When a message is extremely spammy, the whitelist won't be enough to rescue it.  And that's how it should be.

All that said, I think it's only a matter of time until the bad guys DO intentionally go after whitelisted IPs, or (worse) whitelisting services.  We'll detect if spam suddenly starts coming from any IP we're monitoring, and it won't stay whitelisted for long -- that's the core of our program.  We've also put a lot of effort into the security of our own systems.  I've been involved with computer security issues for too long to say it could never ever happen, but I can say we're always watching.

--
J.D. Falk <jd...@returnpath.net>
Return Path Inc