Spam Blacklist / Whitelist filter

Blacklist

Blacklisting is a simplistic method of blocking spam. Not to be confused with Realtime Blacklist or RBLs, a blacklist is simply a list of From addresses which you consider to be spam. Each incoming email has a From header which is tested against the blacklist. If there is a match, then the email is considered spam, and depending on the anti spam software you use, the email can be blocked immediately, or down stream somewhere.

Blacklisting is an ineffective tool for filtering spam because of the simplicity with which spammers spoof the From header. It does have its place in an overall anti spam strategy though. Many administrators are forced into using a blacklist because of spam getting through the filters, and because the boss isn't technical enough to understand why blacklisting is a major waste of time. Instead, the poor admin wastes many hours building enormous blacklists that tax the systems resources and do little, if any good at all.

A better response to spams getting through the filter is to analyze the spam score headers of a handful of sample spams to identify what steps should be taken to tweak and tune a filter into being more effective without the futile efforts of building a blacklist.

As mentioned, a blacklist does have its roll in a overall spam blocking strategy. Often times, the source of a spam is from a list or newsletter that you might have once subscribed to, or perhaps you accidentally agreed to accept a newsletter when purchasing something on-line - any number of things. The 'one mans ham is another mans spam' rule applies here. And often these mailing lists do not honor their own unsubscribe policy.

In this case, the From header is usually static because it comes from a real, even legitimate entity (despite lacking enforcement of their own unsubscribe policy). Blacklisting in this scenario is a perfectly good and valid use of a blacklisting. But take note of your anti spam software. Some systems don't blacklist based on the From header but the reply-to or the envelope header. Check your documentation.

Whitelist

Whitelisting is another matter all together. Whitelisting means that any email from a particular address is trusted, and should never be considered spam. Critical customers or other critical sources of emails should be whitelisted to avoid being blocked.

Spampits can become very full very quickly on a busy spam filter. An email from a critical source that gets caught in the spampit also has a good chance of being passed over during the administrators daily audit of the spampit - checking for false positives. So be sure to whitelist any critical source email addresses or domains.