Whitelisting mechanism in SORBS.
Matthew Sullivan
matthew at sorbs.net
Thu Dec 11 04:19:09 UTC 2003
Hi All,
My appologies for the public post, I'd have rather replied to the
individuals who mailed me in response of a previous post, however time
has passed and I have a huge inbox, and of course I would like to
solicit more entries from those interested and just waiting to see what
it is.
The whitelisting system previously discussed is now nearly
complete..... The database and administration interface are indeed
complete. I am therefore inviting those who wanted to whitelist to
submit the following information to me off list:
- ISP Name.
- Email address of primary ISP/company contact incase of issues (bounced
alerts for your company will go here along with any communication from
SORBS).
- Out facing IP addresses of your outgoing mailservers (last hop in the
headers).
- Netblocks you wish to receive reports/alerts for. (Plain text CIDR
format list Minimum /32 maximum /8)
- A list of email addresses where you wish the alerts to go to.
The system works as follows:
For the mailservers:
When spam is received at a spamtrap (automated and/or manual) you will
have your server listed with a 1 hour TTL, you will be sent a coded URL
to the nominated alert email addresses. Using that coded URL you can
delist your server immediately from the SORBS spam DB (no fine etc).
The coded URL will timeout after 48 hours, if you have not used the URL
by this time you will not be able to automatically remove yourself and
the listing TTL will revert to the default (6 hours for an automated
listings and 48 hours for a manual listings). You will receive no more
than 1 URL per hour per IP address. The full headers (minus
desitination email addresses of all spams received relating to a
particular URL) will be available using the coded URL. Using the URLs
to view the headers will not acknowledge the termination of the spammer
- there is an extra step similar to that in spamcop.
Each whitehat entry has a 'whiteness' value - each expired URL will make
your whiteness decrease by 1, each time you use a valid URL it will go
up 1. If further spam is received from an address to an automated
spamtrap within 1 hour *after* you have used the URL, and acknowledged
termination, for that IP your whiteness will decrease by 5. Using the
URL and acknowledgement indicates you have identified and stopped the
flow of spam, if you choose to delist yourself before you stop the flow
that is considered not whitehat - hence the peanlty when you get caught
(mail queuing in our system has been thought of and taken care of). You
can get a maximum whiteness of 9 and a minimum of -9, for anything below
1 (ie -8 through 0 inclusive) you will be treated as not whitehat and
will still get keys and be subject to normal TTLs (6 & 48). If you get
to -9 you will be considered blackhat and removed from the system.
For the network lists:
Same principles as the mailserver IP however URLs will expire after 7
days, and TTLs are 6 hours by default.
Anyone caught listwashing will be removed.
Minimum entry is owning your own /24 (as found in public whois ;-))
Initial 'whiteness' will be 3.
Note: The whitelist/whitehat system is completely independant of the ISP
reporting system which will provide weekly reports to ISPs/companies
requesting them.
Yours
Matthew
More information about the NANOG
mailing list