The Beatings Will Continue...Forever

It seems to me that there are a few different reasons why you'd want to list an IP address on a blacklist.

  1. Proactive prevention of an issue; things like listing of dynamic and non-SMTP space; things that shouldn't connect to your mail server, and if they do, that alone is typically a spam sign.
  2. Reaction to a specific issue, like spam received from a server. From where one spam message comes, more are likely to follow.
  3. Spam support, somebody in league with spammers or providing some sort of service to spammers.
But there seems to be really only two possible goals for any kind of blacklist issue.
  1. Protect my network. I'm receiving spam from this IP address, so it's fair for me to protect my users by not letting any more spam through from this IP address.
  2. Push the bad guys to reform with a combination of carrot and stick. While you're bad, you can't mail me. When you change to be good, I'll let you email me again.
  3. ???????? NYARRR, I'M ANGRY!! The sort of mentality where they say, to hell with you, you don't deserve to be able to send email to anybody ever again. Sometimes validly so, but do the people this gets aimed at really end up going away? And, is it always merited? The beatings will continue forever, no matter what, there's nothing you can do about it.

What's your goal when blacklisting an IP address? On a personal server, "set it and forget it" makes more sense. That IP address sent spam, so now it's dead to me. For a public, widely-used blacklist, that seems to make less sense. If somebody gets blacklisted by a blacklist like Spamhaus for hitting spamtraps, and if there's no opportunity to ever get delisted, what is the incentive for the sender to clean up their list?

It's easy to say "nobody should send spam ever," but there's a long history of blacklists helping to improve the email ecosystem by engendering change; by pushing bad senders to become good senders. Right?

I'd be curious to hear any thoughts y'all might have on this topic. What's the best possible policy for a blacklist in this situation? Why does it matter, or why doesn't it matter? Your feedback welcome.

3 comments:

  1. We list IPs on our blocklist using a statistical algorithm. If an IP exceeds a threshold of sending a certain amount of mail marked as spam over a certain time period, it is added to our internal BL. It is agnostic as to the source, it only focuses on content.

    Basically, it is an attempt to shift our blocks from our content filters to our IP filters.

    ReplyDelete
  2. But, you have pretty easy remediation steps, in case a sender wants to reach out to you to ask for a block to be removed. Do you feel a remediation step is important? I kind of do, I think it implies a carrot vs a stick approach; if people clean up, you want to let their mail through, right? That would be an impetus to clean up. Would be curious as to what you think about that.

    ReplyDelete
  3. Someone who behaves like a jerk has zero business running a blacklist, or even running filters for anything larger than an etch a sketch (or a P-III pizzabox running freebsd for self, girlfriend and pet dog).

    Run across that kind of genius (even at some largish ISPs, govt agencies etc) the same way I've run across great, brilliant people doing this - in over a decade of doing this (and you've been doing this rather longer than I have, Al, so ..)

    There ARE some cases where I simply up and block some IP space on a large scale - cheap datacenter with a revolving door type history of hosting one snowshoer after the other, for example.

    Or some ESPs that like to put coreg / leads IPs right next to IPs sending single optin, right next to IPs sending for "high value clients". If the collective reputation of their bad clients (and translated to dkim that'd mean repD = sum(repI1 + repI2 + ...), d= being the aggregate reputation of all the i= clients.

    [there's at least two or three ESPs that have tried keeping both types of clients, and found themselves blocked, and in one memorable case, multiple swips, so that one range - run by a former employee is snowshoe, another range is coreg, yet another range is fortune 500s .. spread across a /20] ..

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.