How To (or How Not To) Operate a Blacklist

Posted by J.D. Falk on

by J.D. Falk
Director of Product Strategy

On the Word to the Wise blog, Steve Atkins has been publishing a series of articles describing — in impressive detail — everything he feels is wrong with the SORBS blacklist, both before and after it was purchased by spam filter vendor GFI. Return Path staff have seen many of the same issues when trying to help our clients deal with SORBS listings, so we can certainly sympathize with the many frustrated comments.

Turn Steve’s articles on their head, however, and you’ve got a set of Best Practices for how to run a blacklist — or any other popular anti-spam service. These can also help mail system operators evaluate which blacklists they’d like to use. For example:

1. Respond to inquiries quickly and professionally, especially during or after a known issue.

2. Listing policies must be clear and consistent.

3. Any lookup or removal tools should be accurate, easy to use, and actually work.

4. Lists of dynamic IP addresses should be developed in collaboration with the ISPs or other entities who own and assign those IPs.

5. Cross-check against internal and external sources in order to catch bad data before it’s published to the world. For example, if your system is about to push out an update which includes IPs on our Certified list, put it on pause until you can perform a manual review to make sure.

6. Wide listings (such as a /16) should be rechecked regularly to ensure that they’re still appropriate.

7. Systems should be compartmentalized such that a denial-of-service attack against public, visible servers does not prevent staff from operating the service.

8. When you do suffer an attack, be transparent! Your supporters will understand, and many will offer to help.

9. Understand that when someone contacts you for removal, or with questions, chances are pretty good that they’re having a really bad day. Often it’s the first time they’ve even become aware of the concept of an IP blacklist. They’ll be panicky, perhaps irrational. Have some compassion even while you’re being firm, and they’ll eventually settle down and react in kind. They may even support your work in the future.

10. In a similar vein, the ISPs and other mail operators who use your list are your customer. That’s who you’re responsible to. Piss them off, and nobody will use your list — which means you’ve got no influence over the email ecosystem, which means you won’t stop any spammers.

11. And finally, work with the larger anti-spam community, not against it. That’s where you’ll get your best intelligence, and your most effective supporters.

The Anti-Spam Research Group has a draft standard detailing additional best practices for blacklist operators, including how to shut it down smoothly.

As for GFI, we can certainly understand that it takes a while to merge an existing product into a new parent company. It took us a few years to fully absorb the old Bonded Sender Program, but we learned from those experiences and were able to add the Habeas Safelist in a matter of months; now they’re both living happily side-by-side as Return Path Certified. I’m sure GFI can do the same with SORBS, given sufficient desire and resources.

In the meantime, there are other blacklists (including Return Path’s Reputation Network Blacklist) which have already been following the best practices listed above, and thus are probably much safer to use.

Remember: for mail operators it’s not the size of the list that matters, it’s whether it helps them block the spam they don’t want and still receive the mail they do want. These practices can help to ensure that that’s what your list does.


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 [New Research] Are These Hidden Metrics Harming Your Deliverability?

[New Research] Are These Hidden Metrics Harming Your Deliverability?

Reaching the inbox is not as simple as hitting send. Once a message is...

Read More

 What Job Is Your Subscriber Hiring Your Email To Do?

What Job Is Your Subscriber Hiring Your Email To Do?

Over the last 16 years, I’ve worked as a product manager, run product...

Read More

Author Image

About J.D. Falk

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.