Web-o-trust is a system for whitelisting SMTP clients in a scalable fashion. You create a web-o-trust, and so does your buddy. You and she list each other's web-o-trust. You can create your own whitelist, or you can use an existing DNS-based whitelist. Each whitelist has its own starting point into the web-o-trust. Since you can specify the depth beyond which you refuse to traverse, every starting point can produce a whitelist based on your trust level.
The first whitelist based on the web-o-trust is cabal.web-o-trust.org. It trusts everyone listed in http://www.sf-bay.org/web-o-trust.txt, and anyone they trust. If you want to get into this whitelist, look through that file to see if you know anybody represented there. Ask them to add you to their web-o-trust file. The zone is up and may be queried. It's updated four times a day from the http://www.sf-bay.org/web-o-trust.txt file.
The initial purpose of the web-o-trust is to make sure that SMTP clients are not wrongly listed in a DNSBL (DNS-based Blocking List). You create an entry for your SMTP clients, and enable whitelisting on your SMTP servers. In time, if we get enough clients listed, it may be possible to apply a sanction to clients outside of the web-o-trust. For example, one might want to reject such email if it doesn't comply with all appropriate RFCs. Or one might reject every tenth message, saying "you are outside my web-o-trust."
This website, and web-o-trust files, are intended to be completely policy-neutral. The purpose is to include enough information in the file so that a multitude of policies may be applied. For example, one company might have a policy of only listing SMTP clients that have put up a bond, which is paid out on verifiable complaints. You might or might not choose to trust the contents of such a web-o-trust file. Or for another example, entries might be only included if the owner has sent in a notarized photocopy of their driver's license.
Anyone can run their own DNSWL (DNS-based White List) based on information derived from web-o-trust files. We currently have one such list, but others, using a different policy for inclusion, are possible. We'd be happy to include a listing of any other DNSWLs based on web-o-trust files. You could also, if you were so daring, create a DNSBL which is based on the inverse of web-o-trust files: every host not trusted gets listed. We don't plan to dictate your choice of what to do with the information you publish under this standard.
To list SMTP clients that you trust, you need to create your own web-o-trust file. Instructions on writing your own file are on another page. Once you've created it, put it up on "your" website under the name web-o-trust.txt. It should go on "your" website because that's where your friends are going to go looking for it. The file is not required to have the name web-o-trust.txt, but using that name will help others find your file more easily.
To participate in the web-o-trust, you should find somebody who wants to sponsor you. Easiest way to do that is to ask around, or else go looking for web-o-trust.txt files. Ask the owner to add your web-o-trust file to their web-o-trust file. It's that simple! The next time the whitelist gets built, it will include your hosts. Even if you're listed in everybody.txt, it's important for you to ask your friends to include you. Extra includes can be used to outweigh omits. In time, everybody.txt will not be used to build anything, because spammers will find it and add their own web-o-trust files.
Here's a list of everybody who has created a web-o-trust.txt file. You can
your entry to it. You can also browse starting here.Trust is very important to establish and maintain. If you add hosts only under your control, then you know how much you can trust them. If you add hosts willy-nilly, then you will find yourself being ignored. Rather than adding a host under someone else's control, it's better if you persuade them to create their own web-o-trust file. You can include theirs. That has two pleasant effects: 1) they can be omitted without having to omit you, and 2) if they make changes, they will be the first to notice and the first to fix their own file.
You can whitelist qmail using rblsmtpd or sendmail. We'll add documentation for other SMTP servers as people contribute it. Bonded Sender has some information on using their service, which can be useful as they're another DNS-based whitelist. SpamBouncer has added support for querying cabal.web-o-trust.org.
The program which produces an rbldns-data input file is called collate. It's written in Python and only requires python 1.52. It takes a URL (or file) pointing to the base web-o-trust file, and writes the list of IP addresses to stdout. It ignores data with syntax errors.
If there's something you want collate to do, by all means, send email to the mailing list. It definitely has lots of room for implementing policy decisions. If we add them gratuitously, it will make the program needlessly complicated, so ask for what you want.
We're also going to have a web page which lets you submit a web-o-trust URL for syntax checking. You can browse the web of trust starting at
There's a mailing list for discussion of the web-o-trust whitelist system. Send any email to subscribe or unsubscribe.