Email whitelisting started out innocently enough—as a reasonable solution to the high false-positive rates associated with early anti-spam filters. Today even low-performance filters block at least 90 percent of spam. But false-positive rates remain high. As a result, whitelisting is still considered a viable way to ensure mail from trusted senders arrives in user inboxes.
There’s only one problem: Whitelists have become a giant loophole for scammers to exploit. Welcome to the dark side of whitelists.
The loophole resides in the trust implicit in whitelist usage. Spoofing Yahoo, Hotmail and other commonly whitelisted senders in their campaigns enables scammers to improve the nefarious, profitable results of phishing, malware, and other threats.
Many anti-spam companies encourage whitelisting (whitelist providers touting the power of their solutions to block email threats aren’t helping matters). But the dirty little secret behind whitelists is though they’re often labeled as a feature, in reality, they’re a vulnerability and mask core problems in many anti-spam technologies.
Many statistically based filters suffer from increased false positive rates when they try to push block rates beyond 96%. Deterministic methods like Red Condor’s act as superior detectors of today’s variable and highly sophisticated campaigns–with block rates that exceed 99% and essentially no false-positives.
The solution to the dark side of whitelists is simple: Quit relying on them. For users who can’t kick the whitelisting habit, here’s my advice:
- Don’t whitelist your own domain. It’s the easiest whitelist entry for spammers to exploit, allowing sophisticated attacks such as the recent Adobe spoof to just waltz right into your inbox.
- Don’t whitelist banks and other financial institutions. A perennial favorite of phishers, these institutions are among the most commonly forged entities.
- Don’t whitelist an entire domain when a specific address will suffice. If you have to poke a hole in your filter, make it a small one.
- Don’t use automatic whitelists (generated by adding addresses of people you send to). It’s a nightmare when scammers hijack the address books of people you know. The “stranded traveler” scam is a nasty example of this.
- If you’re having a problem with legitimate messages being quarantined, don’t automatically resort to your whitelist. Contact your anti-spam provider. A well-architected filter will correct these misclassifications promptly, without adverse effects.
Last Fall, Red Condor noticed a dramatic increase in spammers forging domains commonly found in whitelists–including the recipient’s own domain. During this spike of activity, our support staff was bombarded with customer complaints of inboxes flooded with spam. In every case, the problem was rooted in overzealous use of whitelists, many of them imported during migration from other anti-spam vendors.
Understandably, many users are emotionally attached to their whitelists. High false-positive rates created this dependency. To these users, it’s almost incomprehensible a filter could perform effectively without a whitelist. It’s also a sad commentary on the anti-spam industry.
