Zombie Blacklists: Life Goes On

J.D. Falk expresses some legitimate concern about zombie blacklists over on the ReturnPath blog. Blackholes.us resurrected from the dead, and looking for delicious brains to snack on. Or something.

The guy that ran blackholes.us seems to be long gone and the new owners of the IP space and domain seem none too pleased with the residual traffic stinkin' up their network.And I can't fault them for that frustration.

"Listing the world" was their solution to the problem. Listing the world means hacking one's nameserver to return positive responses for every query. The net result is that for a domain being used as a DNSBL, every inbound email generates a "positive" result, meaning the sending IP is (supposedly) blacklisted, and the mail is rejected. Meaning that if you are using a long-dead blacklist in your mail server configuration, and that blacklist "lists the world," then you suddenly stop receiving inbound mail. One hundred percent of your inbound mail is deemed to be spam, until you yank that dead blacklist from your mail server's settings.

Okay, it's bad. It's not the right way to do things. It's not the best practice. I've talked a bit about shutting down blacklists before, and I can understand the frustration felt by those who feel that blacklist operators need to handle things better.

But, it's time to get over it and get on with our lives. This is the new way things work. Blacklists die, and people who run them aren't usually pros. They're just regular joes, and they want that traffic away from them, fast, because it irritates them.

And if you think a blog post is going to suddenly stop ex-blacklist admins from dropping in wildcard DNS entries, you're mistaken. It's the best way, it's the fastest way, to stop that traffic dead. And that's just not my opinion, because just about every recent instance of a blacklist shutting down is accompanied with mention of wildcard DNS entries.

Yes, it makes mail bounce. Yes, it causes some short term pain. What it really does, though, and rightfully so, is it reminds us that mail server administrators need to be more on the ball. They need to actually review their DNSBL stats and denote that blacklist X has never had so much as a single hit in the past year and a half. They need to do a Google search for that blacklist periodically and make sure it's still known to be up and running.

You've been sucking up my bandwidth uselessly for the past two years, an ex-blacklist operator is thinking, and you want me to care about how you might lose some legitimate email for a day until you realize that your mail server configuration is out of date? That ex-blacklist operator could care less, and I don't blame them.

If you're going to use a blacklist, make sure you sign up for that blacklist's announcement list. (And if you run a blacklist, make sure you have an announcements email list.) Watch sites like my own DNSBL Resource (RSS) and the excellent SpamLinks DNSBL info page. Set yourself a schedule, with a Google calendar or Outlook calendar reminder, to review the lists of blacklists you're using every six months.

By the way, in the past week, I've reported on three different dead blacklists. It's nice that somebody else highlighted the closing of blackholes.us, but what about the other two? They both make mention of wild card DNS entries as a possibility or likelihood in the near future.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.