I think the attempt is admirable, as it is with the RBL's and anyone else that contributes to the "greater good," however I strongly believe that the approach is flawed. I've had similar discussions regarding shared blacklists and the same issue comes up over and over again...there needs to be some form of unautomated management and an enforceable standard for something like this to work.
I checked out the limited number of submissions to that list and found the following file for instance:
http://home.teleport.com/~amurph/web-o-trust.txt
This file lists blocks containing Comcast and Earthlink mail servers. It also includes the following list:
http://users.adelphia.net/~equalizer/web-o-trust.txt
This one contains addresses on Road Runner, Adelphia and three educational institutions, and this out of only the first 100 or so members. What's to stop me or someone else from having an epiphany and using this as my pseudo-whitelist all of a sudden and including places like Cheetah Mail and Dart Mail? Some here consider that to be spam.
It seems like this would present more trouble than problems fixed. Sure, I don't need to trust this person, or who they trust, but I also don't want to have to spend the time figuring out if someone currently has a very poor understanding of whitelisting, or may at any time in the future have a brain fart and start including the IP addresses of ISP's where the users themselves, trustworthy or not, can be infected with viruses and haplessly become open relays. This in itself is the #1 problem in spam fighting currently. It's the folks that don't own their IP space that are the hardest to block, and these are the same guys that won't be discouraged by the Can Spam laws because they are already criminals. Such a network and registry if successful, also presents a large potential issue when compromised and targeted...the map to the network is there for spoiling.
I think that if a select group of very trusted administrators with a common set of rules wanted to use the functionality to share whitelist for selected bulk-mailers
and blacklists for verified static spammers (with some form of re-review process for stale records), then this could be a useful tool, but I don't see anyone talking about such a thing.
Sorry to be so negative about the idea, but if it was all just this simple, we wouldn't have a spam problem in the first place. In the current suggested implementation, I just don't see the value as a whitelist of places that I'm pretty sure wouldn't have any problems to begin with. Maybe it might be useful to have a conversation about alternative uses for such a program? I'm definitely interested in sharing some whitelists and blacklists based on the above stated criteria, but only if we could all agree on definitions, processes, and can be responsible. The only individual IP's that I whitelist are yours and a couple of other users because of filtering discussions, and my own customers because it's real bad when you block internal E-mail, even though it is quite rare. My false positives are 95% or more legit bulk mail and legit personal mail that is sent from known compromised IP space, and the other 5% (at most) might be related to errors in custom filters being primarily responsible...but I try to fix those issues. I don't have any notable issues with small mail servers that are properly adminsitrated and protected.
Matt
R. Scott Perry wrote:
As with all such networks, as this grows larger, the potential for problems also grows. Spamcop for instance has suffered greatly from a large number of anti-commercialism administrators or people that are just plain irresponsible reporting their spam, and a system like this represents a potential for problems of a similar type, where you are expected to trust an administrator without regard to the content of the messages, the protections that they have in place to prevent misuse, or even their honesty in joining in the first place.
And it is possible that it will be a problem (for example, people whitelisting IPs that send both legitimate mail and spam). But, you have the power to omit anyone you want. And if you trust us, and we omit someone, it will be omitted for you as well.
There are many of us that have had issues with our customers spamming on occasion, and if you can't trust your own customers, why should you trust the customers of others over whom you have no control over. If these don't currently represent a measurable problem, then why apply a fix which might prevent a future spamming incident from being blocked?
If that is your philosophy, you can still use WOT. You'll still be able to get your IPs whitelisted by many people, and you can still list people that you trust directly. For example, you might decide that you want to whitelist our IP(s) ("include: http://www.declude.com/web-o-trust.txt 1"), or perhaps our IP(s) and customers ("include: http://www.declude.com/web-o-trust.txt 2"), but not those people that our customers trust. Perhaps you want to whitelist us and our customers, but there is one of our customers that you've had run-ins with in the past? In that case, you can use "include: http://www.declude.com/web-o-trust.txt 2" and then "omit: http://www.bad_guy.com/web-o-trust.txt";.
So you have almost full control over it.
And, by using a negative weight rather than actual whitelisting, WOT will just help out, without ensuring that spam gets through if a spammer gets his IP(s) somewhere in WOT.
I'm not against the idea of having some form of a registry, however the root of the problem is in differentiating among the gray stuff and not among the non-automated stuff.
We are definitely not going to add any of the gray stuff. Why? We don't want people omitting us! For the same reason, most of our customers won't, either.
But what will probably happen is someone will come up with http://www.some_isp.com/~username/grayips.txt that people can optionally trust. If we want to trust them, we won't add them to our WOT file -- but instead, we can have a private WOT file that we don't tell anyone about that includes our main WOT file and the "gray" one. That way, we can whitelist the gray IPs, and people can still trust us without also trusting the gray IPs.
Heck, Kami and I can't even agree on what spam is when it comes to this gray area stuff, and although I trust Kami's opinion on what he considers to be trusted senders, I wouldn't automatically trust his customers, or some list over which he is only in part involved in maintaining.
That's where WOT works well. If you trust his IPs, but not those of his customers, you can include his WOT file with a "1" at the end, which won't trust any of his customers. If his customers use his IP, then just don't include his WOT file (it will probably be included if you choose to include ours, but in that case, you can omit his).
If someone can show me the value of crediting points to hosts which account for almost none of my mail volume, over which I have no familiarity with their rules and procedures, and for which I am not aware of any substantial problems, I will definitely reconsider my stance.
It all depends on your specific needs. Have you found that there are IPs that send you good mail, and never send spam? Instead of whitelisting them, adding a filter to help reduce their weight, etc., someone will likely add them somewhere in WOT. That by itself may be very useful.
And, even if you don't want to trust anyone, you can just add your own IPs to your WOT file, and not include anybody. We'll include you, so others will whitelist your mail, and you won't have to trust anybody. :)
-Scott
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
