I'm experimenting with my own DNS Blacklist and it's working and in
testing right now. It's a list that is honeypot driven and only includes
traps that only spammers fall for. However, I'm trying to make sure it
never has a false positive. So - I'm looking for suggestions for best
practices.
At the moment records expire 4 hours from the last spam. So it cleans
itself up. It contains only IP addresses not listed on several other
very popular lists like spamhaus and spamcop. I have about 21,000 hosts
that it is currently blocking. And I'm returning a different code if
they were listed just once or multiple times.
I have an idea that I'm going to try. I'm thinking about creating a DNS
whitelist where hosts that send me ham are whitelisted for 4 hours.
Whitelisting doesn't mean that they aren't going to get spam checked,
but that the host can't be blacklisted while it's whitelisted.
The idea here is to prevent the blacklist from false positives. My
theory is that true spammers never send ham from their spambots and
would be unaffected. But if someone emailed a honeypot by accident and
managed to get one of earthlink's email servers blacklisted, that would
be a problem.
I'm also wondering about if anyone else has done any DNS whitelists of
known good server or at least know servers that are good enough that
they should never be blacklisted? Any thoughts on this?
- DNS Blacklist Policy Design Marc Perkel
-
