[spambayes-dev] Regarding Whitelisting

Aleem B aleem.bawany at utoronto.ca
Tue Sep 2 16:37:38 EDT 2003

T. Alexander Popiel wrote:
> In message:  <001b01c37171$795e9270$0a00a8c0 at Aleem>
>              "Aleem B" <aleem.bawany at utoronto.ca> writes:
>>>> With whitelists mail would not get "mis-classified" in the
>>>> first place.
>>> Not true.  Thanks to spoofing, you'd end up with lots of
>>> false-negatives.  Or if you personally don't, many other spambayes
>>> users would.
>> This is the part that I don't understand. How often do
>> you receive spam forged from people in your address book?
> I get about six a day, presumably because one of the spammers
> that raped a mailing list got a clue and uses other members
> of that mailing list as from addresses when sending to
> addresses culled from that source.

Whitelisting is merely a way of providing more control/power
to the user. It is an option and users can choose to have
comfort of knowing that mails from a certain address won't be
marked as spam. In your specific scenario, you would probably
opt against whitelisting those specific addresses from which
your recieve spam. So you simply let the user decide what he
thinks best.

>>>> Besides, the decision to whitelist an email address (and risk
>>>> getting mail from a spammer forging that very address),
>>>> should be left to the user.
>>> We're not stopping you whitelisting; we're simply not adding it to
>>> spambayes. 
>> I'm trying to make a case for it, because the case against it is
>> weak.
> What I don't understand is why people want one tool to do everything.
> I have multiple MTAs which are separate from my MDA which is separate
> from my MUA, with several filters in between... why should
> whitelisting be added to spambayes, when spambayes does what it does
> very well, and other tools (like procmail) can trivially do
> whitelisting very well, and they can be easily used in conjunction?
> Is this another case of unix mentality (use multiple tools which each
> do their own thing well) is getting in the way of general acceptance
> by the masses? 

Whitelisting is a concept well ingrained with spam detection. I
don't see why they should be two different tools. Whitelisting 
lends itself to the spamming vocabulary for a reason. Besides
whitelist here is being used in context to spam, so effectively
I am only requesting you consider having a "whitelist for

>>> False positives are much worse than false negatives, yes. But you're
>>> still basing this on no evidence that there will be these false
>>> positives.
>> The classifier can generate false positives - what evidence do I
>> need? 
> The same evidence that you're demanding for false negatives from
> whitelists (which I provide anecdotally above).

I think evidence and argument are being used interchangeably here. I
still don't see what kind of evidence you are demanding. Whitelists
circumvent spam detectors and don't generate false positives.
Whitelists can generate false negatives (as you argue) but the user
has control over his whitelist (as I mentioned above). It is a concept
analogous VIP lists. If there are VIP impersonators you can take them
off the VIP list and let the filter handle them.


[ http://aleembawany.com/ ]

More information about the spambayes-dev mailing list