2013-03-18 16:13:06 UTC
Paying to be on a whitelist creates detrimental incentives for the list operator by creating conflicts of interest (list quality vs commercial incentives).I agree.
I see many other issues with the whitelist approach in general and a paid list in particular.
And since we're supposed to be thinking outside of the box: I don't think that if we were to build spam-filters from scratch and we didn't have a long and successful history of using IPv4-based lists, we would be looking at such lists for IPv6.
To me, it seems that all solutions (from whitelists to listing /64's) have serious limitations.
Why not require all email that is sent of IPv6 to be DKIM signed? You can then use/run blacklists, or whitelists, or reputation lists, or combinations of those.
You can even extend SMTP so that the signing domain(s) is/are announced in the envelope, so if you want to block there, you can do so.
There's one issue with this approach (except for the ones that I don't see): it allows for mail servers to be DDoS'ed. A crook can send a lot of emails, e.g. via a botnet, with invalid signatures, that will still have to be verified. This could take the mail server(s) down. That's very bad.
PS It's also very well possible that we don't need to bother either way: the trends seems to be that the total volume spam is going down and the relative (and possibly absolute) volume of spam sent via more or less legitimate sources (those *ix boxes) is going up. Perhaps we both have to and are able to rely solely on IP-agnostic filtering (DKIM, SPF, content filtering).
Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.