Blacklists: Readers Respond

Security UPDATE readers relate their experiences and suggest tips for working with blacklists.

ITPro Today

November 16, 2004

5 Min Read
ITPro Today logo in a gray background | ITPro Today

Last week, I wrote about how blacklists can help an email filter detect junk mail and thus reduce the amount of junk that reaches your inbox. Several readers responded, and this week I'll share some of their perspectives because they make good points that everyone should be aware of.

Small-business owner Evan Ross wrote that he thinks blacklists are a bad idea. He said, "We had an issue last year where Spamhaus blacklisted my ISP due to . . . another one of their customers sending spam. We were prevented from sending mail to some of our customers for up to four weeks. In direct conversations with Spamhaus, I did not find them at all responsive. I felt that they were vigilantes that held me hostage."

Stephen Canale, from the mail-filtering outsourcing company OnlyMyEmail, expresses similar sentiments, writing that blacklist providers "are not particularly responsive to correcting listing errors and generally don't mind creating collateral damage. Some even encourage this as a way to put pressure on ISPs and other hosts. Spamcop is pretty straightforward about this, saying 'The SCBL is aggressive and often errs on the side of blocking mail.' The only way to accurately stop spam without significant false positives is to use out-sourced services such as ours." OnlyMyEmail filters out junk mail and malware for individual users or entire domains.

I think these services work well--otherwise they'd go out of business relatively quickly. But I don't agree that filtering services are the "only way to accurately stop spam." My desktop-based email filter that supports the use of blacklist services works well, and I'm sure most of you have similar results. A third reader, Joe Wein, wrote: "I wholeheartedly back your recommendation of the Spamhaus.org blacklists (SBL and XBL), with which we've had excellent results so far. Spamhaus is probably the single most valuable source of IP blacklist information available today."

Joe went on to say, "I would add some reservations concerning the SpamCop list though. While it catches a lot of spam, it has a much higher false positive rate than Spamhaus and even other services. SpamCop.net itself does not recommend using it for outright blocking: 'SpamCop encourages use of the SCBL in concert with an actively maintained whitelist of wanted email senders. SpamCop encourages SCBL users to tag and divert email, rather than block it outright.' http://www.spamcop.net/bl.shtml "

Joe had more to say about SpamCop: "SpamCop users frequently submit reports involving servers of their own mail accounts that are configured to forward mail to another account of theirs at a different provider, where mail is read. Because SpamCop does not follow the Received lines through [to] the real culprit, the servers of the auto-forwarding ISP end up getting listed instead of the spam source that hit the initial forwarding ISP."

Joe's next point was one that I probably didn't stress enough last week. "Because of its high [false positive] rate, the SpamCop list can only be used as one part of a scoring system, with a hit on the list weighted low enough so that false positives do not cause the loss of valid email." I think this principle should be employed when using any blacklist service.

Joe continued, "A good anti-spam solution should involve multiple strategies and combine the results, rather than relying on a single make-or-break test. A combination of IP blacklists, domain blacklists and content-based scoring (such as detecting known bulk email software and/or Bayesian filters) offers the best results overall. This multi-pronged approach has been used by SpamAssassin and also by our own desktop solution, jwSpamSpy. http://www.joewein.de/sw/jwSpamSpy/ "

Joe also informed me about another type of blacklist service, Spam Uniform Resource Identifier Realtime Blocklists (SURBLs), in which, according to the http://www.surbl.org/ Web site, "SURBLs are not used to block spam senders. Instead they allow you to block messages that have spam domains which occur in message bodies." Joe said that because of the way SURBLs work, "Spammers can switch Trojaned boxes and open proxies as much as they want. As long as they still advertise the same Web sites, they will get caught in the filter."

Joe continued, "My main advice for people running Web sites and mail servers who want to avoid ending up in IP blacklists (other than not spamming, of course) is to pick their [ISP and hosting service] well. Make sure [the provider has] a strong acceptable use policy (AUP) and [that they] enforce it. [Perform] some due diligence and don't just go for the cheapest offer. Otherwise your business could end up paying for the [mistakes] of others [in the event that] your [ISP and hosting service] get blacklisted. If you run any mailing lists, do make sure to use confirmed opt-in for all subscriptions. Sometimes people end up getting their domains listed on URL blacklists because they paid shady online marketing companies for sending bulk email. Just because someone claims to have an opt-in mailing list doesn't mean it actually is one. Check out how long they've been around and what kind of references to them you can find on the Web. Emails from a known spam source advertising a freshly registered domain are a big red flag for us. Therefore, do some research before you pay someone to do marketing for you, or you could harm your reputation."

The same holds true for your junk-mail-filtering solutions, whether you use one in-house or an outsourced service. Check them for functionality, accuracy, reputation, support, responsibility, then choose one wisely.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like