What Is A Whitelist And How Does It Reduce Spam?

Whitelists are something I touched upon in the last post about keeping spam out of your kids’ inboxes.

They are, possibly, the most effective tool available in terms of preventing spam completely.


Whitelists Are Almost 100% Effective

A whitelist is a user-created database which lists email addresses, IP addresses and domains that they have determined are safe.

Anyone added to the whitelist can successfully send email to the recipient whilst the opposite is true – if you ain’t on the list you ain’t gettin’ in.

For the database to be compiled the user needs to manually add each of their trusted sources.

Such a method is extremely thorough and whitelists offer close to 100% protection from spam.

Despite such success, whitelists are not universally adopted for reasons I am about to explain…

False Positives

As whitelists are exceptionally good at blocking email from non-authorised sources it means a great deal of false positives are generated.

In other words, there is the potential for large amounts of legitimate mail to be blocked.

To overcome this problem whitelists often utilise a technique known as challenge-response.

What this means is that when an email from an unknown source is detected the system will reply with an automatic response which issues a ‘challenge’ to the sender.

Such challenges can take many forms but the most common ones include captchas and simple questions.

By doing this, the system can be sure that any response has come from a human rather than any sort of automated process such as an email harvesting bot.

If the challenge is correctly answered then the email will then be allowed to proceed to the users inbox and the sender will automatically be added to the whitelist so that the procedure doesn’t need to be repeated next time they send an email.

There are both advantages and disadvantages to the challenge-response method of assessing emails.

If the sender is a spammer then they are unlikely to waste their time answering questions or working out captchas.

They are far more likely to simply move along and try other addresses.

On the other hand, legitimate email senders may become irritated at the prospect of having to jump through hoops in order to get their message through to you.

In fact the first time I received a challenge response I didn’t know what it was and deleted it, thinking the message looked rather suspect.
Hard Work
There is another potential problem with whitelists, namely that new email addresses will need to be constantly added as time goes by.

It may not even be practical for the user to add them when he is dealing with online merchants or newsletters who may reply with different addresses to the one they first communicated with.

If the addresses are known then they can easily be added to the whitelist, in a manner similar to the one shown for hotmail in the following video clip –

You need to a flashplayer enabled browser to view this YouTube video

If, however, the user forgets to add a certain email address, or misspells it, then future correspondence will either be blocked or subjected to the challenge-response system I mentioned earlier.

Therefore whitelists are far more effective than anti-spam filters but also much harder work to configure correctly.

Whitelists would be especially useful for business users who receive huge amounts of email but by nature of their manual configuration they either become incredibly hard to update or, alternatively, block far too much legitimate correspondence.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. […] employees all day.That is not practical.But if you are on a small network with a few people then white listing might be the solution for you. AKPC_IDS += "23024,";google_ad_client = "pub-5266989973063252"; /* […]

Speak Your Mind