Spamhaus launches antispam whitelist to end spam false positives

With the coming of IPv6 and the prospect of billions more IPs that could drown any hopes of spam blacklisting, the Spamhaus Project has launched a whitelist campaign for the most trusted organisations.

The Spamhaus Project, an antispam organisation and non-profit, has launched a new service that aims to create a global whitelist of trustworthy email sources. The move is intended to help reduce spam false positives in email filters and cut down the amount of work the filters have to do.

Up to now, Spamhaus has focused on building blacklists of known email spammers, and, according to the organisation, its lists are used by 75% of Internet networks worldwide, including ISPs, corporate mail servers, and almost all the major free email providers.

With the new antispam whitelist service, Spamhaus aims to build a list of trusted email sources that can be allowed through email filters without analysis, thereby delivering email faster. It is designed to enable special and priority handling by mail servers of important mail from senders who are extremely unlikely to send spam.

Spamhaus said it intends the whitelist to be used for mail from qualified organisations such as banks, accounting firms, law firms, airlines, medical centres, government agencies, as well as transactional mail from automated billing systems, ecommerce servers, online banking and booking systems. The system, Spamhaus said, excludes mail servers used by third parties or bulk senders.

According to Spamhaus, one driver for the new service is the arrival of IPv6, or Internet Protocol version 6, the next-generation protocol that will allow more addresses on the Internet.

"Once IPv6 mail starts flowing in earnest, the volume of IPv6 spam -- in particular the potential volume of sources that can send spam in IPv6 -- risks overwhelming current filter technologies," Spamhaus said in a statement on its website . "Blocklists designed to store millions of bad IP addresses suddenly need to cope with potentially billions of bad IP addresses. Yet legitimate mail servers in the world number only a few hundred thousand. It thus becomes sensible to identify and single out the few hundred thousand to let past unimpeded."

The domain element of the Spamhaus whitelist enables receivers to automatically certify -- using DomainKeys Identified Mail digital signatures -- that messages are really from the sender and that the sender is not a spammer.

This could allow messages to pass through the spam filter with no further processing, or at least, make it easier to score messages' trustworthiness.

During the launch period, Spamhaus is inviting trusted companies to apply to join the whitelist for free; those companies will be able to invite other organisations they trust to apply for the service as well. Those invited organisations will receive a free account for a year. After December 2010, other organisations will be able to apply for the whitelist service, for around $250 a year Fee details will be published soon.

The whitelist will specifically exclude any IP address, which is a source of bulk emails, such as email service providers , ISP customer mail relays and mail servers used by third parties, and all bulk mailing list servers and services. The whitelist service is only available for companies with their own mail servers.

If companies on the whitelist want to send out marketing emails, they will need to separate those from their transactional traffic. This means that an IP address on the whitelist must only send transactional (not unsolicited) email. Any companies that break the rules by sending out unsolicited email from a whitelisted IP address will immediately be taken off the whitelist. Once taken off the list, it is not clear yet if the company would be able to reapply for an account.

Ed Rowley, a senior technical consultant at Orange, Calif.-based M86 Security Inc., a specialist in email and Web security, welcomed the development: "It's a very good idea, and anything that will help manage spam is a bonus,"

Read more on Network security management