An Unwelcome Afterlife for a Long-Dead Blacklist
by J.D. Falk
Director of Product Strategy, Receiver Services
There’s still a few weeks before Halloween, but have we ever got a scary story for you — and every word of it is true. (Imagine we’re sitting around a campfire, chowing down on s’mores, flashlights under our faces.)
Seven years ago, on this very internet, there was a man named Matthew who was angry about spam. Now sure, there are lots of people angry about spam, and some of them are named Matthew, but this particular Matthew decided that he was going to do something about it.
Matthew noticed that a lot of spam came from foreign countries, and that he didn’t get any real mail from people who lived there. So he created blacklists for each country that sent him spam. Then he noticed that a lot of spam came from particular large ISPs, and he created blacklists for each ISP that sent him spam. Soon Matthew had a lot of lists, and some of them were very big.
Five years passed, and suddenly Matthew and his lists disappeared! Nobody knows where they went — well, somebody probably knows, but they aren’t telling, and it doesn’t matter for this story. What does matter is that everyone forgot about blackholes.us, yet a lot of email systems were still configured to query those lists.
The IP addresses of the blackholes.us nameservers were assigned to somebody else, but those IP addresses continued to receive queries from all of those old email systems. None of those queries ever returned with an answer, yet they would not die! It was a zombie blacklist!
Nobody likes to have a zombie blacklist on their network, but zombie blacklists are nearly impossible to kill. The people who now control those IP addresses made the drastic decision, just a few days ago, to set up new nameservers where blackholes.us nameservers used to be. These new nameservers give the zombie blacklist new life, more virulent and destructive than ever before: they respond to every query as if the IP address were actually on the blacklist!
In other words: if an email server asks about 188.8.131.52, the zombie blacklist will now gleefully say yes! Reject that message!
If an email server asks about 184.108.40.206, the zombie blacklist will now gleefully say yes! Reject that message!
No matter what IP address the email server asks about, the zombie blacklist says yes! Reject that message, and damn the consequences!
“When there’s no more room in hell,” said a tired survivor hiding in a shopping mall, “the dead will walk the earth.” When there’s no more room for queries, dead blacklists will list every IP.
The anonymous yet angry people who chose to invoke the dark powers and resurrect this zombie blacklist think that responding with a yes! for every IP address will force email administrators to stop using blackholes.us in their mail servers — and they’re probably right. But it’ll also cause a lot of legitimate email to be rejected in the meantime, and that sure is unfriendly. The Anti-Spam Research Group (which may also be a zombie now) wrote a document which specifically calls out that method as a bad practice.
There’s no happy ending to this story, kids. To quote another scene in that same mall: “When the dead walk, Senores, we must stop the killing — or lose the war.”
But this doesn’t mean you have to spend your whole life locked inside a mall, hiding from zombies and blacklists. If you send email that appears to be rejected because of blackholes.us, contact the administrator of the site you were sending to, and ask them to read the current blackholes.us web site — bad grammar and all. Tell them there are better blacklists they could be using, operated in accordance with best practices learned from long experience.
Of course, they probably won’t get your email, but at least you will have tried.
Time for bed, now. Go on back to your tents, and don’t trip over those old headstones. Whose idea was it to camp in an abandoned graveyard, anyway?
Additional reporting for this post provided by Neil Schwartzman