Blacklist notifications? Think again.

Infacta's "Messaging Times" posted a generally good article today on what you should be doing to minimize blacklistings. Except...

The article posits that "blacklist agents" should "contact senders that were reported prior to listing them with a plain-English explanation of what was reported and give them an opportunity to respond appropriately prior to being blacklisted. This process should be clear with instructions that are easy to follow."

Whoa. This is untenable on every possible level. Why?
  • The vast majority of this spam is coming from forged addresses, overseas IPs, or infected machines (or all of the above). Notification to the listee is far from trivial and it will send bogus notifications to the wrong person 99% of the time. It is not worth it just to notify the 1% person who is actually reading his postmaster/abuse mailbox and speaks English.
  • It just doesn't scale. Consider: My tiny random site receives, on average, ten thousand spams each day. Of the (approximately) 807,998 spams I've received since March 10, they came to me from 532,958 unique IP addresses. You expect me to send out over five hundred thousand notifications? Now explode that out exponentially to the real levels that blacklists deal with (which reveal my volumes to be puny).
  • Smart senders check their bounces. The default configuration for blacklist usage includes a clear message with every bounce containing a link to a site or reference code with more information. This is notification. Do your due diligence and you'll notice a blacklisting within minutes or hours of it taking place. In most cases it is then easily and simply resolved.
  • Smart senders periodically check blacklists to see if their IP addresses are listed. Any good email service provider (ESP) offer this service. Sites like DNS Stuff and Open RBL make it easy to check a bunch of lists at once.
  • Good email actually doesn't get blacklisted very often. Sure, there are badly run blacklists out there (and I catalog both good and bad ones over on, but most lists are not run by bad guys and are not out to attack people sending regular opt-in mail. If you are regularly ending up on lists like Spamhaus, NJABL, CBL, etc., then you're probably doing something wrong. If you're regularly getting blocked at Yahoo, Hotmail, or AOL, then you're probably doing something wrong. Fix your list. Stop trying to blur the lines of permission. Stop mailing to bounced email addresses repeatedly. Confirm new signups. Re opt-in your existing lists. Be proactive. It's not up to some external third party to tell you that you screwed up; if you let it go and got bitten by a blacklisting, you've usually got nobody to blame but yourself. The real problem is whatever caused the blacklisting, not the lack of a notification.
Notifying everybody listed on a blacklist is a noble goal. It was a goal of mine, back when I created the RRSS blacklist in 1999 (that later went on to become the MAPS RSS). Back then, I found that notifications did nothing but annoy unrelated parties and generate more bounces back to my own mailbox. It's telling that today, no blacklist I'm aware of notifies somebody before placing them on the list. For a lot of these lists, the point is to mitigate the potential damage of spam being received from listed hosts, while the host's owner or ISP is asleep at the wheel, not to prod the host owner to be friends with them.

Next, the article mentions "email authentication systems" referring to things like Goodmail and Sender Score Certified. These are actually email certification services, not authentication systems. You can choose to participate in a certification system, but it's not required on any level to get your mail delivered. Email authentication systems are actually things like SPF (Sender Policy Framework), Sender ID, DomainKeys, and DKIM. These all make it easier for receivers to identify senders and help their efforts to improve their ability to discern the good mail apart from the bad mail. They don't cost anything. SPF and Sender ID are things you set up in your DNS and can be done in about five minutes if you're technically inclined. DK/DKIM require support at the mail server sending side. Sometimes this is free, sometimes it might require an upgrade. This is like upgrading any piece of software, though, and it it's part of some conspiracy to make you pay to have to send email. (I think in the future you'll find just about every free or commercial mail server software will support DK or DKIM.)

And finally, the article asks the question, "Since when did the world "free" become a bad word?" The answer is: It didn't. It's not. The vast majority of spam content filters don't do anything so simplistic as to filter or block a message just because it contains the word "free." Don't be afraid to use the word "free." If you're not sending spam, it's not likely to get you blocked.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.