Can you name some domain whitelists, please?
Back when we were first coming up with SPF, one of the big objections was "okay, so the spammers will just go and register lots of throwaway domains and publish SPF records for those domains and then what?"
Our answer to that objection was "yes, that is part of the plan, when they do that, we will use domain whitelists and blacklists, I mean, blocklists, to distinguish between the good domains and the bad domains."
So now I am asking: Can anybody out there point me at some good domain whitelists?
I have been quietly collecting all the DNSBLs, DNSWLs, RHSBLs, RHSWLs, and URIBLs that I can find.
I have started with lists such as:
- websites that TrustE has certified
- websites that have gone through VeriSign's SSL certificate due diligence checks
- domains from my personal addressbooks
- hostnames from the Fortune 2000
- URIBL's whitelist
- LashBack's whitelist
- Return Path Sender Score Certified
I have fed the above lists into http://www.karmasphere.com
. Karmasphere's job is to aggregate all the reputation sources out there, and provide a single point of access to them. There are experimental plugins available for Postfix, Exim, Sendmail, etc.
Now I am actively hunting for new domain blacklists and whitelists. I am particularly keen to collect whitelists. SPF + domain whitelisting is a great tool for helping fight false positives.
I am hungry for more.
If folks out there would like to contribute their own domain whitelists, there's an upload-publishing interface available at the Karmasphere website. Or you can just tell me the rsync or http syndication URL, if one is available, and I can download it directly.