[SURBL-Discuss] Proposing a greylist

Ryan Thompson ryan at sasknow.com
Thu Sep 2 12:09:52 CEST 2004 

Jeff Chan wrote to SURBL Discuss:

> On Thursday, September 2, 2004, 7:09:27 AM, Chris Santerre wrote:
>> I am officially proposing a greylist surbl.
>
>> We are going to see more and more of this stuff. We might as well deal with
>> it now. I'm suggesting a greylist for all spammers that ride that line. Like
>> the euniverse junk we have been talking about.
>
>> 1)We DO NOT include it in multi.
>> 2)We SCREAM to the world that it WILL hit some legit, and that only hard
>> liners should use.
>> 3)We DON'T remove domains unless they go completely black, or have no NANAS
>> hits for 3-4 months.
>> 4)See number 2 again.
>> 5)We tell people it is completely optional and to see number 2.
>
>> I predict it would be used more for personal emails. IT also gives us an in
>> between mechanism. Rather then list or no list. We get a grey list we
>> desperately need.
>
> I'd rather focus on black lists for the upstream mail servers.

Go ahead! :-)

> Greylists are messier, more time-consuming, difficult to categorize,
> error-prone, controversial, and subjective than black or white lists.
> We can already see how much effort a few borderline cases consume.
> Creating and maintaining these as a third category would multiply
> that.

I disagree to all of your adjectives. :-)

Messier, error-prone, controversial, and subjective: If used as a
*blacklist*, your description wouldfit. By *definition*, however, a
greylist is the grey area that can't (yet) be classified as black or
white. By *definition* it's where the controversial stuff lives. We need
an in-between.

Further, I think *not* having a greylist leads to errors and
controversy, because even the most careful submitters will (thanks to
human nature) have a tendency to want to put domains *somewhere*. It's
damned hard to admit that somedomain.com appears in a dozen local spams,
has a bunch of NANAS hits, but, jeez, it's so *close*, but maybe, just
maybe, they have some legit uses. A greylist ought to keep the size of
our blacklist smaller, so that it really *is* as close to a pure
blacklist as we can make it.

Borderline: The borderline cases will now have a proper home, and rely
less on submitters' judgement.

Time consuming: *Definitely* not. We submitters beat our heads against
the keyboard on a per-domain basis for the difficult to classify cases,
in an attempt to list them *somewhere* (either as white or black). A
greylist would allow us to spend *less* time on some of the really
icky domains, and allow the numbers to work for us.

> If we make greylists, they will be misapplied, legitimate mails will
> be blocked, people will (somewhat rightly) complain, and our
> reputation will be damaged.

This is exactly the objection I expected you'd make. I admire
consistency. :-)

However, I take issue with "somewhat rightly complain". What you're
talking about, in usability terms, is "affordance". Give somebody a
screwdriver, and, with alarming frequency, they'll turn it around and
use the handle to beat on something. When someone complains because the
handle of their screwdriver is mangled, does that damage the
manufacturer's reputation? A coffee mug is *exactly* the right size and
shape for throwing. If I throw mine at that wall over there, and it
shatters, is it a crappy coffee cup? "Affordance". Tool and mug
manufacturers aren't going to restrict and devalue their products just
so they don't afford striking and throwing.

If someone takes our greylist and says, "Hey! I could use this to block
email", despite the big "May identify legitimate email" warning we're
going to scream from the rooftops? We're a cut above: When did you see a
coffee cup that said, "May break if thrown"? Actually, that would be
less silly than some of the *other* product warnings I've seen...

> I know it would perhaps be more fun to play the "find every
> spammer" game, but I think we should instead focus on
> improving the quality of the data we already have.

A list of grey domains could help accomplish that. See my next mail.

> When we can get the FP rate of WS below 0.01%, then maybe
> we can think about greylists....  ;-)

Again, greylists might be one of the means to that end.

- Ryan

-- 
   Ryan Thompson <ryan at sasknow.com>

   SaskNow Technologies - http://www.sasknow.com
   901-1st Avenue North - Saskatoon, SK - S7K 1Y4

         Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
   Toll-Free: 877-727-5669     (877-SASKNOW)     North America

More information about the Discuss mailing list