Whitelisting mechanism in SORBS.

Matthew Sullivan matthew at sorbs.net
Thu Dec 11 04:19:09 UTC 2003

Hi All,

My appologies for the public post, I'd have rather replied to the 
individuals who mailed me in response of a previous post, however time 
has passed and I have a huge inbox, and of course I would like to 
solicit more entries from those interested and just waiting to see what 
it is.

The whitelisting system previously discussed is now nearly 
complete.....  The database and administration interface are indeed 
complete.  I am therefore inviting those who wanted to whitelist to 
submit the following information to me off list:

- ISP Name.
- Email address of primary ISP/company contact incase of issues (bounced 
alerts for your company will go here along with any communication from 
- Out facing IP addresses of your outgoing mailservers (last hop in the 
- Netblocks you wish to receive reports/alerts for. (Plain text CIDR 
format list Minimum /32 maximum /8)
- A list of email addresses where you wish the alerts to go to.

The system works as follows:

For the mailservers:

When spam is received at a spamtrap (automated and/or manual) you will 
have your server listed with a 1 hour TTL, you will be sent a coded URL 
to the nominated alert email addresses.  Using that coded URL you can 
delist your server immediately from the SORBS spam DB (no fine etc).  
The coded URL will timeout after 48 hours, if you have not used the URL 
by this time you will not be able to automatically remove yourself and 
the listing TTL will revert to the default (6 hours for an automated 
listings and 48 hours for a manual listings).  You will receive no more 
than 1 URL per hour per IP address.  The full headers (minus 
desitination email addresses of all spams received relating to a 
particular URL) will be available using the coded URL.  Using the URLs 
to view the headers will not acknowledge the termination of the spammer 
- there is an extra step similar to that in spamcop.

Each whitehat entry has a 'whiteness' value - each expired URL will make 
your whiteness decrease by 1, each time you use a valid URL it will go 
up 1.  If further spam is received from an address to an automated 
spamtrap within 1 hour *after* you have used the URL, and acknowledged 
termination, for that IP your whiteness will decrease by 5.  Using the 
URL and acknowledgement indicates you have identified and stopped the 
flow of spam, if you choose to delist yourself before you stop the flow 
that is considered not whitehat - hence the peanlty when you get caught  
(mail queuing in our system has been thought of and taken care of).  You 
can get a maximum whiteness of 9 and a minimum of -9, for anything below 
1 (ie -8 through 0 inclusive) you will be treated as not whitehat and 
will still get keys and be subject to normal TTLs (6 & 48).  If you get 
to -9 you will be considered blackhat and removed from the system.

For the network lists:

Same principles as the mailserver IP however URLs will expire after 7 
days, and TTLs are 6 hours by default.

Anyone caught listwashing will be removed.

Minimum entry is owning your own /24 (as found in public whois ;-))

Initial 'whiteness' will be 3.

Note: The whitelist/whitehat system is completely independant of the ISP 
reporting system which will provide weekly reports to ISPs/companies 
requesting them.



More information about the NANOG mailing list