Since spam has reared its ugly head on the Internet, its antagonists have waged an uphill struggle to block its arrival in inboxes. That battle, though, has remained largely reactive. White Hats expend enormous amounts of energy to extinguish the latest fire set by spammers so that good mail can make it to its destination unsinged. Much of that energy could be saved, however, if spam fighters focused their efforts on what’s good in the email stream instead of what’s bad. They can do that with whitelists.

In its simplest form, a whitelist is a set of email addresses that have been verified as belonging to entities from whom you want to receive email. It’s by no means a panacea. Spammers have been known to spoof email addresses that may well be on a whitelist. Nevertheless, with estimates of the amount of spam on the Internet in the 80 to 95 percent range, concentrating on the five to 20 percent of “good” mail  seems, on the face of it, an easier task than taking up arms against a horde of bad mail.

What some of the things you should look for when adding whitelists to your anti-spam arsenal?

• You’ll want the whitelist to augment itself automatically. You already have enough things to do without adding vetting email addresses for a whitelist to your to-do list.

  When evaluating a solution that automatically creates whitelists, you’ll want to carefully review how it verifies its content. To do that, it will need to vet both the source and sender of email messages.

  Some common source tests are sender system and familiarity tests. Sender system tests examine servers sending email to see if they behave as email servers. That is, they can both send and receive email. Familiarity tests review messages to see if their senders have sent “good” messages to your organization in the past.

  Some common address tests include checking outbound mail to the source of a message, comparing addresses from sources to existing contact lists on your system and requiring a source to authenticate their address through a confirmation request.

  Of course, no matter how efficient an automated solution may be, you’ll still want the power to manually alter the whitelist to correct any glitches in the system.

• You’ll want your whitelist solution to be dynamic. Source and address tests need to be constantly and quickly applied to your email stream. It’s the only way to minimize “false positives” created by the list and to ensure the best experience for your users.
• You’ll want a system that makes it easy for good guys to join. Any system that makes senders jump through hoops to authenticate their identity won’t buy you any good will from them, from your users or from your organization. If your system has a  challenge-response component, you’ll want to keep the challenge message simple and the response simpler.
• You’ll want to make it hard for the bad guys to join the club. Actually, that’s easier than you might think. That’s due to the nature of the spam beast. For example, simple challenge-response measures can be very effective in weeding out bad guys. Why? It requires spammers to give up their anonymity. When you’re doing something illegal, anonymity isn’t something you want to part with very readily. It also adds to their workload. They don’t want to be dealing with individual messages. They’re interested in mass mailings–even though the cumulative effect of those individual messages may be harmful to their mass mail strategy. What’s more, spamming is mostly a one-way street. Spam servers know how to dish out the dirt, but they’re a dead end for incoming email.

Whitelists can be an effective tool for fighting spam in an organization and freeing up resources that get sucked up by more reactive weapons used to combat Internet scat. Just how effective? A study by three Stanford University professors, revealed that whitelists can be very effective. They reported that “we find that almost no spam makes it to users’ inboxes, and less than one percent of legitimate email is mis-classified.”

“It is interesting to note that this is achievable on a simple prototype system with significantly less engineering effort than is devoted to creation of spam filters,” they added. “But this shouldn’t be surprising: like a buddy-list in IM, a whitelist tries to precisely identify the people we communicate with, or who we allow to send us email. Unless we make a mistake, we will not allow a spammer to send us email.”

“We should expect a well-engineered whitelisting email service to behave almost perfectly,” they asserted.