A renewed plea for a Domino whitelist

At the risk of boring those here for whom this issue may not be so important, I have decided to post again on the desirability (no, necessity) of a whitelisting feature to balance the DNSBL support in ND6.

My own recent experience, along with some recent posts in this forum (e.g. ) suggest a real need in the ND6 user community for this enhancement to the DNSBL feature of ND6.

Executive Summary

To save you reading to the end unless so inclined the main points are:

A means is required to eliminate “false positives” on DNSBL look-ups.

In most organisations, 80% of wanted email comes from less than 20% of the hosts from which mail is accepted. Therefore a small white list saves a great deal of DNS look-up activity. This is a significant performance enhancement opportunity.

No acceptable workaround to the Domino whitelist issue exists.

This author contends that a simple white list implemented in the native Domino SMTP listener would provide an effective means of:

reducing collateral damage

improving mail delivery performance

protecting the security of the ND6 user organisation

If you agree with me, please post a response to this thread. Post a response anyway - we need this debate.

Chris Linfoot

The Detail

What would this feature look like?

Doesn’t look so difficult to me…

Why do we need it?

1. Spam is increasing.

Half of all e-mails are spam

Block listing is the only way to defeat spam at the protocol level, hence avoid bandwidth, storage and related resource theft. The use of block listing is increasingly widespread as is the use of increasingly aggressive lists. E.g:

Spamcop - recommends that mail is tagged but not blocked. Many people who post here do block based on Spamcop with very good results, but inevitably some non-spam email is rejected. The alternative of tagging instead of blocking applies in the current releases of ND6 to all black lists used and defeats one of the main benefits of DNSBL - keeping out the bad guys.

SPEWS - deliberately sets out to cause collateral damage. The philosophy (with which I happen to agree) is that ISPs are either part of the problem or part of the solution. Those that are part of the problem find increasingly large chunks of their network listed so that eventually non-spamming customers feel the pain. These customers then either complain sufficiently to persuade the ISP of the error of his ways, or they move to a less spam friendly ISP. This does mean that innocent bystanders are hurt (so far, only two at the author’s site), and we need to be able to help them during the time their IPs are listed (until they change ISP or their ISP cleans up his act).

Whitelisting provides a means of mitigating collateral damage without dropping the use of Spamcop, SPEWS (or any other particularly strong list) and without having to accept and tag all spam, then clean up the mess later.

2. The use of DNSBL look-ups on every connection by any IP to deliver mail is redundant.

Having run a detailed analysis of email received here over the past five months, I have a strong evidence base to support this.

We are a medium sized enterprise in the manufacturing (automotive) sector in the UK. We have c. 350 Notes users and accept c. 600 Internet emails per day (currently blocking another c. 400 per day).

Since Jan 23rd 2003, a total of 541 different hosts have successfully delivered mail here (a far greater number have been refused, mainly by DNSBLs).

80% of accepted messages came from 16% of these hosts and virtually all of these 16% are hosts we would wish to white list. I contend that most companies similarly receive the majority of their email from a small number of sources.

Once trusted, do we really need to check these against block lists every time? I believe that this is unnecessary and that a whitelist would save perhaps 40-50% of all DNSBL look-up activity on an ND6 host, greatly enhancing the speed and reliability of email delivery from “trusted” sources.

3. The only workarounds devised so far fail in the areas of

scalability (whitelisting more than a couple of IPs become onerous)

reliability (not all “blacklisted” hosts may be blocked)

security (“whitelisted” hosts can create a multi stage open relay condition ) - anyone here that thinks this vulnerability would not be discovered and abused can read this or spend a few minutes on Google finding anecdotes like this one)

I have had to resort to techniques like these a few times recently and it doesn’t help me to sleep at night, knowing what problems I have potentially given myself.

A while ago, I posted a request for the whitelist feature in the ND6.5 beta forum. This met with a smattering of agreement. Indeed my earlier posts in this forum have generally done the same, but no-one at IBM/Lotus seems interested in making any comment.

Time for that to change.

Chris Linfoot

Subject: A renewed plea for a Domino whitelist

Chris is right on the money. However I believe that black-lists and white-lists may not be enough. Spam is evolving very quickly and needs a solution that can evolve as quick. White lists are part of the solution but there are several ideas that make the manage of Spam more bearable.

Companies like IBM/LOTUS can always implement ideas to stop Spam but it is very hard to stay active in the day to day war on Spam. This is where the smaller company with a specific Anti-Spam solution comes in to play.

Ideas like this (below) will stop a majority of Spam:

· Allowing the users to help with some level of Spam

· Mixture of Corp/personal white lists and black lists

· Internet blacklists

· Detection of specific spamming techniques (obfuscated URL’s, etc.)

· Content analysis and categorization.

· Auto safe list generation of “sent” mail

· Ability to quarantine SPAM before it gets to the user

· Minimal impact to mail infrastructure/templates

· greater than 95% effectiveness ( a target to make Spam a non-effective marketing solution )

· Spam countermeasures

· Use of a statistical analysis learning engine (limited because of the overhead requirements.)

· Shared community Spam information (shared fingerprint database lists, etc.)

And this is only the tip of the iceberg. It is the new Anti-Spam ideas plus the legislation that will make the Spam go away.

Now here is the plug. A lot of the ideas above have been the reason for developing MIMEShield. MIMEShield has been in development for over a year now and works extremely well in the Enterprise Domino environment. If you are looking for a better solution than what is currently built into R6 then I believe MIMEShield is the answer.

Greg Gessel

http://www.mimeshield.com

Subject: A renewed plea for a Domino whitelist

Wow ,an impressive business case – are you auditioning for a product manager job?

You are not likely to get a comment from us at Lotus, because we don’t generally make on-record statements about future features and capabilities. As has been indicated in the 6.5 forum, the features for that release are locked down (and were some time ago). Other than the optional DB2 back-end, we’ve not made any public statement on features or capabilties for the next major release beyond 6.5.

So, don’t take silence as an indication that we’re uninterested or not reading. However, don’t take my posting of a response as indicative that we are interested, either … just trying to set expectations around your last sentence “(Time for that to change”).

–Ed/IBM Lotus

Subject: RE: A renewed plea for a Domino whitelist

“Are you auditioning for a product manager job?”

Depends who’s asking

“As has been indicated in the 6.5 forum, the features for that release are locked down (and were some time ago).”

As a matter of interest, is “some time ago” before 11 June 2002 (the earliest sighting I have so far found of a post requesting this feature, though there may even be earlier ones…).

Subject: based on 6.5 goals, it shouldn’t matter

What you are asking for is an architectural change to the Domino Server. We really didn’t want to touch the core server capabilities in 6.x, it’s mainly an end-user features release.

Subject: RE: based on 6.5 goals, it shouldn’t matter

OK then - can we have it planned for ND7?

Subject: quoting from my first posting

“Other than the optional DB2 back-end, we’ve not made any public statement on features or capabilties for the next major release beyond 6.5.”

Subject: Thanks Ed - I know that…

But as an SME (do Americans call us SMBs) user of Lotus/IBM software I am occasionally confused and/or annoyed by IBM’s apparent lack of interest in the concerns of their SME users (IBM is not alone - another large software company springs to mind in this context).

As most people here (in this forum) would probably agree, IBM has in ND6 a product which is technically so superior to anything available from any competitor that it is difficult to conceive how we would deploy the solutions we have deployed on ND6 any other way.

I have been with Notes for over a decade now, it was the first thing I implemented when I took on my current job nearly six years ago and remains the only part of our complex IT infrastructure that users regularly praise.

Notes/Domino has become central to our business success and some applications we have developed are the envy of our competitors.

But despite the criticality of ND6 to my organisation, and our generally high level of satisfaction with it, we have relatively almost no voice when it comes to influencing the future direction of the product.

I get calls from IBM regularly from people wanting to sell me “portal solutions”. Almost all of these are from Websphere people. Few believe me when I say I have a portal solution deployed on Domino and that I am more than happy with it - is it only a matter of time before a rip it all out and put in a Websphere solution?

By contrast, I have only once had any IBM/Lotus person in my office for a chat and that only very recently.

What I need you to do Ed is not sell to me (I bought Notes a decade ago and it will be a cold day in hell when I trade it in), not to tell me how it is, it is to listen to me.

We (your SME users) are potentially one of your greatest strengths if you care to use us. We have a wealth of experience and a passion for your product which may even match your own. We are your ambassadors in a world dominated by well marketed but inferior products.

Collaboration lies at the heart of Lotus’ product strategy. So listen to us. Use us. We will all be strengthened by it.

cwl

Subject: Take a look at Lotus Workplace …

… you might be reassured. See my posting here:

I’ve been with Notes for only 8 years (eek! 9 in fact – time flies) and have been feeling very unhappy of late, this cheered me up quite a bit.

=B-)

Subject: I’m not sure how you get from a to b here

Whether you are an SME/SMB or among my top ten customers in size, it doesn’t matter. We aren’t talking about feature or capabilities for the feature releases beyond Notes/Domino 6.5.

The Notes/Domino product line has a huge customer base in SMB, and I think we are listening a lot to the neds of this segment. For example, just last week Lotus Workflow was repriced, back to a per-user basis instead of per-CPU, because it was too costly to be considered by smaller organisations at the per-CPU price. (See my Rapid Application Development Platform | HCL Domino for a bit more info there) There are forthcoming Domino “Express” offerings specifically designed for the SMB market. The Move2Lotus and tradeup programs have special bundles with one server and 100 user licenses. Passport Advantage Express gives smaller organizations an easier way to buy IBM software.

OK, so those are all marketing things, not features or capabiilties in the product. But they should be indicative to you of the focus on SMB all around the organization here.

So, I’m not sure why you think you have no voice or that you aren’t being listened to. I can’t see how anyone would draw that conclusion from my responses. In fact quite the opposite – go tell your boss “IBM responded to my post in their forum”. We don’t respond to everything here, so that in and of itself means you hit someone’s radar screen on this end, doesn’t it?

Subject: To get from A to B

Don’t take this personally Ed. I am greatly encouraged by your interjection on this matter. You have obviously listened. You have been very clear, concise and honest and I do appreciate that.

I have seen you post here often, even though it is a user forum and I have read your blog from time to time and these qualities of honesty and openness are clear elsewhere too.

But, putting CIO of SME hat back on and referring to earlier posts, I said “almost no voice”, not “no voice at all”. We have a saying here - “one swallow doesn’t make a summer”. This is the only time in my whole ten+ years as a Notes user that I have had such a dialogue. I don’t expect another any time soon. So that is how I got from A to B.

In the case in hand, I would have adopted a less demanding stance if I didn’t believe the issue I was raising was critical to many users and useful to almost all.

The spam epidemic is growing so rapidly that I am now convinced that the future model for corporate email on the Internet, at least so long as SMTP prevails, will be aggressive blocking mitigated by whitelisting (or possibly eventually global blocking except from whitelisted sources).

I would prefer to have a native Domino solution for this. Sadly, I may be forced to consider alternatives. But one way or another, I will implement this.

Thanks for listening.

Subject: RE: To get from A to B

…sorry - i removed my post…

Subject: RE: based on 6.5 goals, it shouldn’t matter

[What you are asking for is an architectural change to the Domino
Server.]

Explain the logic underlying that statement. Adding a list of IPs/DNSs to
exclude from blacklist checking is no more “architectural” than moving your
end-table closer to the couch.

The SMTP configuration is already littered with options on exception-making.
Clearly the approach is already there in the code.

Subject: RE: based on 6.5 goals, it shouldn’t matter

Nathan,

Thank you for your response to Ed. The notion that a whitelist would require any architectural change to the code is highly implausible, for the reasons you give.

Christopher is also to be congratulated for his well written original post. Unfortunately, instead of being ahead of the curve on this issue (by having the feature already in the code, or at least announced), Ed et. al. appear to be way behind.

Messaging is at the core of Domino and Notes. SPAM directly threatens that core. The lack of some new end user features in 6.5 do not threaten that core. (Note: I have been pleased with what I have seen in previews of 6.5. But the improvements are mostly nice to have, not essential to every day core functions.)

A whitelist in conjunction with the (wonderful) blacklist capability in ND6 is a very effective countermeasure to SPAM. We have been very happy since turning on the blacklist reject function. The only thing preventing us from using it with a couple more aggressive blacklists (e.g., fiveten) is that they have a higher false positive rate. But a whitelist would solve this.

IMO, Lotus needs to recalibrate its thinking on the importance of this issue. They were able to introduce a major new feature in 6.0.1 (roaming - also great). It is hard to believe they could not slip a basic whitelisting capability into one of the upcoming point releases in the 6.0 code stream. A public commitment from Lotus to do so would signal that they are waking up to this issue. Telling us to wait for a new post 6.5 version of domino is not an acceptable answer.

-Andy

Subject: RE: A renewed plea for a Domino whitelist

“Are you auditioning for a product manager job?”

Don’t ask or you may get what you are asking for which means giving your life and time to an organization only to be resource actioned:-)

Subject: RE: A renewed plea for a Domino whitelist

“Resource actioned”…

New euphemism for ??? Help me out here; blood caffeine level critically low just now.

Subject: RE: A renewed plea for a Domino whitelist

IBM Speak: They do not lay people off, the select people for resource actions. I see the Gary Devendorf, former product manager for Notes/Domino is now on his own…

Subject: Renewed hope for your renewed plea

Hi Chris,I was told today by a Notes/Domino contractor that my company uses from time to time that IBM is finally going to include Whitelisting capabilities in a soon to be released update of ND6.5. I have yet to substantiate the rumor. It’s not that I don’t trust the contractor; it’s just that I have to see it with my own eyes to believe it. I am frantically searching the cavernous web sites of IBM.com and lotus.com to find any hint of truth to the statement. Sorry to get your hopes up if it turns out to be nothing more than a rumor, but I was so excited by the “news” that I had to share it with someone that I knew would appreciate the possibility that it might be true.

Incidentally, I have begun using dynablock.easynet.nl today. My decision to use it is based in large part on the positive results you have reported. I’ve been using the list for a little less than 3 hours and it’s already resulted in over 170 blocked messages.

Thanks so much for doing what you do and taking the time to share it with the community. Your forum postings and blog are always an excellent resource.

…Dave.

Subject: RE: Renewed hope for your renewed plea

Woo hoo.

Subject: RE: Renewed hope for your renewed plea

Well, I haven’t found any information to corroborate the claim. : (As others have already mentioned in the forum, there isn’t even any mention of 6.5.1, yet. And, according to other forum contributors, it might be January before 6.5.1 is released. And even when it is released, I can find no proof to indicate that whitelist capability will be included. Just in case, I’ll double up on the Champagne purchase: one bottle for New Year’s and one for “New Features”. ; )