Some White Listing Essentials

If you have been white listed with a particular operator, it means that the email you send always gets through. No more getting caught in spam filters! But how do you accomplish this goal? Keep reading.

"Reputation is everything; guard it with your life."
Robert Greene

In a previous article I wrote about aligning yourself with block lists, specifically how to avoid being tagged a spammer. Since then I have discovered that most white lists have certain things they look for, and if you discover that most of your clients are with a small number of operators, then it is always better to be on their list of acceptable email senders. In the earlier article I talked about things to avoid so that you will not be considered a spammer; here I will talk about things to do so that if you apply to be on a white list (list of acceptable senders to a particular ESP/ISP) you will be accepted in an expedited fashion.

Email Techniques in Brief

Ideally, if you don’t out source your email creation and sending, you should have a single person responsible for your email campaign. Other individuals in your organization should act as members of your email team. But if you send a large number of emails you will have problems ranging from the technical (unsubscribe requests are not being obeyed) to the human (somebody blacklisting your IP address).

Not having a single person responsible for your email activities will cause conflict when difficult situations arise, and if a major mistake was made, there will be nobody accountable for correcting it and making sure it does not happen again. There are as many white lists as there are web mail providers, and in some cases some DNSBL also offer DNSWL services (WL for White list), for example MAPS (mail abuse prevention systems).

You want to be an accepted member of these various white lists. To do this you must be perceived in a certain way and pass certain requirements (some of them quite stringent). Let’s take a look at some models I came across while researching this topic.

Note the above phrase carefully; it is extremely important to white lists. It simply means the level of trust the white list can confer to you, given your past behavior and records. In certain cases, they even share your trust level with individuals who ask. According to www.dnswl.org there are four basic trust levels.

  • High Trust Level: Never sends spam.
  • Medium Trust Level: Extremely rare spam occurrences, corrected promptly.
  • Low Trust Level: Occasional spam occurrences, actively corrected but less promptly.
  • No Rating Whatsoever: Legitimate mail server, may also send spam.

The above model is based on input by a team of volunteers. There is no fixed protocol. It is basically based on past performance and the web site which sends email has little or no input in changing its trust level.

Sending an email    Diagram Source: www.wikipedia.org

Email Verification chart   Diagram Source: www.wikipedia.org

The above is simply another name for white listing; it is rapidly going to become more important though as the big web mail providers are putting their weight behind it. It simply means the email service providers and also the big ISPs will not accept an email from senders which are not on a white list. Web sites like Yahoo and Microsoft (Hotmail) are throwing their support behind these email acceptance protocols. As time goes on, if it catches on, other web sites will definitely join the band wagon.

Who Decides What Gets Seen and What Doesn’t?

Right now, every site polices itself. Some use white lists, some use block lists. For small operators it is better to band together in groups and use block lists to screen emails sent to their web sites. Some individuals believe that this arbitrary banding up is unfair (who polices the police?). But if the ESPs have their way, it will definitely get worse, and it may be compulsory to be a member of one white list or another to get your emails delivered.

According to the book New Rules for the New Economy, there is also a numbers based system based on whether the email sender shares the subscriber’s email address with other parties. This was in the late nineties and not many models seem to use this method, though it has to be said here that buying a list is a bad idea and may result in a lot of spam and/or unsubscribe requests.

Filters

Most ESPs filter viruses strictly (they screen ALL emails for viruses), but are more lax on the above trust level filters. Still, most ESPs check all not-rated IP addresses for spam and skip medium and high rated IP addresses; unless it is a major ISP/ESP they also skip checking black lists for all rated IP addresses. Obviously it is a good idea to run over to dnswl.org and get rated. Medium and Low trust level sites will get through an ISP, but if spam is reported by the clients, the sender is expected to purge his/her list of address that did not specifically request emails.

Note this difference between a white listed sender and a sender that is simply tagged as a “spammer” by a DNSBL. A white listed sender can send spam and will just get a note from the ESP asking for the error to be corrected; an unknown sender who does not respond to authentication requests and who sends spam is flagged as a spammer. Basically the listing is all about relationships.

If it is not known whether a sender is a spammer or not, the sender is grey listed by the ESP or ISP. A request may be sent to the sender asking for some form of authentication. This may be combined with some reverse DNS look up of the sender’s connecting  IP address.

Administrators who have experience with spam in emails use certain rules when processing a white listing request. They follow these rules to make sure that a spammer does not get a white list rating. If you are registered with a basic web hosting package (since all the IP does is check the IP address) you should have no problems with passing a white list query from a client to a DNSWL. Note that if your site is not black listed, then it is white listed if it has been checked before. If it has not been checked before, it appears on the list after it has been checked. A site that has not been checked before is grey listed and may receive confirmation requests from the receiving ISP administrator.

Armed with an IP address and a client request, the admin first checks the sender domain to see whether or not it is forged, since spammers like varying their return address domain names. This is done using SPF or Sender Policy Framework, and is an extension of SMTP which by default gives power to spammers who are sending from a forged address; note that Simple Mail Transfer Protocols allow anybody to forge a return address (the design is basically outdated and should be changed). With SPF the sender specifies which servers are authorized to send mail, so a web admin checks the sender policy of the domain from which the information is sent and if the sent email does not comply with the sender’s policies the email is treated as being from a spammer and the “white list” request is rejected.

So if Messrs Spam sends an email claiming to be genius@Whois.com and asks to be white listed for all Jungle.com users, Jungle’s admin checks Whois sender’s policy (after verifying that whois is a real site), and if he notices that only so and so public domain is allowed to send emails but this comes from Spam and not public domain, s/he rejects the whitelist request, since it isn’t really from whois. The above method does not work if Whois.com has compromised machines or if the spammer is actually an account holder on whois.com (but this leaves a trail for the spammer to be tracked).

Other Procedures

Other means of authenticating include SenderID and DomainKeys. DomainKeys checks emails by verifying the digital signature on the email as opposed to SPF’s method of simply querying the sender’s server to check whether the sender ID is one of the servers tagged as mail servers.

Protect Your Turf

If you want to be sure that some spammer does not start using your server to start sending mail (and you have never bothered to separate your mail sending servers from the rest), it is best to block your non-mail-sending servers, if none of your servers send mail. Then simply say so in your DNS records. Note that this blocking is voluntary but once it is done, the only thing you should be watching out for is that there are no open ports in your mail server that a hacker can use to gain access to your mail server.

Third Party Senders

Some agencies forward emails from various IPs. This third party throws a cog into authentication procedures. Since only their IP addresses are contained in the message, this gives procedures such as SPF and Sender ID problems when dealing with them. Most third party senders are trusted by the ESPs to verify that the senders are not spammers before sending their mails. Forwarders will however have their mail bounced back to them (not the sender) if it is discovered that their mails are spam, and are in turn obligated to bounce it back to the sender. Email authentication is a big deal. It is a good idea not to take white listing for granted, and it will definitely get more important as time goes on.

Sending an email through a third party     Diagram Source: www.wikipedia.org

Google+ Comments

Google+ Comments