In the never-ending fight against spam, we all (hopefully) have some sort of filtering on our inboxes. In the attempt to let less and less spam through, there are the inevitable casualties called “false positives” — legitimate e-mail that our filters treat as spam. One way to help minimize those false positives is called “whitelisting”. Any e-mail that comes from a whitelisted address will be let through without any further checks. This helps assure that important e-mails make it through, and many newsletters that you can subscribe to will tell you the address that the mailings will come from, and suggest that you whitelist that address.

Now, many people often send themselves a copy of important e-mails that they send to others, so they have their own copy in their inbox. And, to prevent such e-mails from possibly hitting their spam traps, they whitelist their own address. While this sounds like a good idea on the surface, it’s actually a bad idea in today’s spam-filled era.

The problem is that many spammers use this fact to actually help deliver their spam. Because the protocols used to transfer e-mail from one system to another don’t require any validation on the headers of the message (those parts of the message with things like “from”, “date”, and “subject”), nothing stops anyone from forging those header lines. And spammers will often forge your e-mail address as the “from” address, making it appear as if it came from yourself. If you whitelist your own address, any spam with your address forged in the “from” will be sent directly to your inbox.

For this same reason, “blacklisting” addresses (automatically blocking any e-mails based on that address) won’t help eliminate spam, because the spammers that don’t forge your address will simply forge different addresses. Yes, sometimes “legitimate” mainstream (sometimes called “mainsleaze“) businesses sometimes decide that spamming is a legitimate way of advertising, or use a client e-mail list to sign them up to newsletters they didn’t ask for, and blacklisting will block such spams. But, that’s the exception rather than the rule.

Leave a Reply

You must be logged in to post a comment.