How To (or How Not To) Operate a Blacklist
by J.D. Falk
Director of Product Strategy
On the Word to the Wise blog, Steve Atkins has been publishing a series of articles describing — in impressive detail — everything he feels is wrong with the SORBS blacklist, both before and after it was purchased by spam filter vendor GFI. Return Path staff have seen many of the same issues when trying to help our clients deal with SORBS listings, so we can certainly sympathize with the many frustrated comments.
Turn Steve’s articles on their head, however, and you’ve got a set of Best Practices for how to run a blacklist — or any other popular anti-spam service. These can also help mail system operators evaluate which blacklists they’d like to use. For example:
1. Respond to inquiries quickly and professionally, especially during or after a known issue.
2. Listing policies must be clear and consistent.
3. Any lookup or removal tools should be accurate, easy to use, and actually work.
4. Lists of dynamic IP addresses should be developed in collaboration with the ISPs or other entities who own and assign those IPs.
5. Cross-check against internal and external sources in order to catch bad data before it’s published to the world. For example, if your system is about to push out an update which includes IPs on our Certified list, put it on pause until you can perform a manual review to make sure.
6. Wide listings (such as a /16) should be rechecked regularly to ensure that they’re still appropriate.
8. When you do suffer an attack, be transparent! Your supporters will understand, and many will offer to help.
9. Understand that when someone contacts you for removal, or with questions, chances are pretty good that they’re having a really bad day. Often it’s the first time they’ve even become aware of the concept of an IP blacklist. They’ll be panicky, perhaps irrational. Have some compassion even while you’re being firm, and they’ll eventually settle down and react in kind. They may even support your work in the future.
10. In a similar vein, the ISPs and other mail operators who use your list are your customer. That’s who you’re responsible to. Piss them off, and nobody will use your list — which means you’ve got no influence over the email ecosystem, which means you won’t stop any spammers.
11. And finally, work with the larger anti-spam community, not against it. That’s where you’ll get your best intelligence, and your most effective supporters.
As for GFI, we can certainly understand that it takes a while to merge an existing product into a new parent company. It took us a few years to fully absorb the old Bonded Sender Program, but we learned from those experiences and were able to add the Habeas Safelist in a matter of months; now they’re both living happily side-by-side as Return Path Certified. I’m sure GFI can do the same with SORBS, given sufficient desire and resources.
In the meantime, there are other blacklists (including Return Path’s Reputation Network Blacklist) which have already been following the best practices listed above, and thus are probably much safer to use.
Remember: for mail operators it’s not the size of the list that matters, it’s whether it helps them block the spam they don’t want and still receive the mail they do want. These practices can help to ensure that that’s what your list does.