> From: John Leslie <john@xxxxxxx> > ... > This is where I must disagree. Whitelisting something as easily > forged as the From address is simply wrong -- and if it is published > rule, we're sure to see spammers forging whitelisted From addresses > as their standard operating practice. As is true of many theories about what spammers do or will do, practice differs from (simplistic) theory. In the real world, whitelisting by sender works fine and is not abused often enough to matter. Whether it works today because it is rarely used is a secondary issue good for no more than trying to predict the future. Yes, I know that spammers often forge source addresses. I get more than my fair share of demands from lusers that I unsubscribe them from this or that stream of porn or other offensive spam. Nevertheless, such problems are trivial in this context. That reasoning involves a second error common to IETF talk about spam and mailing list noise. It is the academic pretense that all failures are of equal gravity and completely unacceptable. In this case, the failure mode that supposedly makes whitelisting by sender unacceptable is merely leaking a little spam. > If, OTOH, Vernon would like to whitelist the combination of From > address and IP address of the sending SMTP server, that could be a > very worthwhile practice, virtually immune to spammer forging. If you mean manual whitelisting, that sounds good in theory, but fails in practice. I've experience with various sorts of whitelisting, because the DCC depends on whitelists to distinguish solicited from unsolicited bulk mail. Whitelisting by IP address fails in practice because so much bulk mail comes from so many different and changing SMTP clients. For an example at the small end of the spectrum of bulk mail sources, I've had to regularly change the whitelisting for IETF mailings. Bigger legitimate bulk mailer often have too many SMTP clients for outsiders to count, not to mention manually whitelist. You must find other ways to whitelist them. However, whitelisting bulk mail by IP address is trivial compared to whitelisting private mail by IP address. I use greylisting (see http://www.dcc-servers.net/dcc/greylist.html ) which can be described as automated whitelisting by the triple (sender,sender-IP-address,target). It works well, but only because it is automated and it uses 4yz soft failures. Many ISPs start sending a single message from one IP address and switch to another after a few minutes--lather and repeat for up to half a dozen different IP addresses for a single message. It would be hopeless to try to manually whitelist the IP addresses used by customers of such ISPs. The ISPs that do this sort of thing are among the largest. Vernon Schryver vjs@xxxxxxxxxxxx