|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Whitelisting mechanism in SORBS.
Hi All, My appologies for the public post, I'd have rather replied to the individuals who mailed me in response of a previous post, however time has passed and I have a huge inbox, and of course I would like to solicit more entries from those interested and just waiting to see what it is. The whitelisting system previously discussed is now nearly complete..... The database and administration interface are indeed complete. I am therefore inviting those who wanted to whitelist to submit the following information to me off list: - ISP Name. - Email address of primary ISP/company contact incase of issues (bounced alerts for your company will go here along with any communication from SORBS). - Out facing IP addresses of your outgoing mailservers (last hop in the headers). - Netblocks you wish to receive reports/alerts for. (Plain text CIDR format list Minimum /32 maximum /8) - A list of email addresses where you wish the alerts to go to. The system works as follows: For the mailservers: When spam is received at a spamtrap (automated and/or manual) you will have your server listed with a 1 hour TTL, you will be sent a coded URL to the nominated alert email addresses. Using that coded URL you can delist your server immediately from the SORBS spam DB (no fine etc). The coded URL will timeout after 48 hours, if you have not used the URL by this time you will not be able to automatically remove yourself and the listing TTL will revert to the default (6 hours for an automated listings and 48 hours for a manual listings). You will receive no more than 1 URL per hour per IP address. The full headers (minus desitination email addresses of all spams received relating to a particular URL) will be available using the coded URL. Using the URLs to view the headers will not acknowledge the termination of the spammer - there is an extra step similar to that in spamcop. Each whitehat entry has a 'whiteness' value - each expired URL will make your whiteness decrease by 1, each time you use a valid URL it will go up 1. If further spam is received from an address to an automated spamtrap within 1 hour *after* you have used the URL, and acknowledged termination, for that IP your whiteness will decrease by 5. Using the URL and acknowledgement indicates you have identified and stopped the flow of spam, if you choose to delist yourself before you stop the flow that is considered not whitehat - hence the peanlty when you get caught (mail queuing in our system has been thought of and taken care of). You can get a maximum whiteness of 9 and a minimum of -9, for anything below 1 (ie -8 through 0 inclusive) you will be treated as not whitehat and will still get keys and be subject to normal TTLs (6 & 48). If you get to -9 you will be considered blackhat and removed from the system. For the network lists: Same principles as the mailserver IP however URLs will expire after 7 days, and TTLs are 6 hours by default. Anyone caught listwashing will be removed. Minimum entry is owning your own /24 (as found in public whois ;-)) Initial 'whiteness' will be 3. Note: The whitelist/whitehat system is completely independant of the ISP reporting system which will provide weekly reports to ISPs/companies requesting them. Yours Matthew
|