After an over-the-top endorsement of blacklists in his e-letter, ntsecurity editor Mark Joseph Edwards got a mailbag-full: “We had an issue last year where Spamhaus blacklisted my ISP due to … another one of [the ISP’s] customers sending spam. We were prevented from sending mail to some customers for up to four weeks. In direct conversations with Spamhaus, I did not find them at all responsive. I felt that they were vigilantes that held me hostage.”
Another writer notes that blacklisters “generally don’t mind creating collateral damage. Some even encourage this as a way to put pressure on ISPs and other hosts.”
He singles out Spamcop as a particularly aggressive example, to which writer Joe Wein adds, “While it catches a lot of spam, it has a much higher false positive rate than Spamhaus and even other services… Because SpamCop does not follow the Received lines through [to] the real culprit, the servers of the auto-forwarding ISP end up getting listed instead of the spam source that hit the initial forwarding ISP.”
Wein concludes, “A combination of IP blacklists, domain blacklists and content-based scoring (such as detecting known bulk email software and/or Bayesian filters) offers the best results overall.”
To which we can only add, “Bravo… Especially if it’s the right combination.”
1 comment
Comments feed for this article
October 25th, 2006 at 11:36 am
Anonymous Lumberjack
Filters are great, but they are expensive (for bandwidth costs and processing requirements on my end) because the cost of spam is still my burden. Blacklists work extremely well because the blocked spam never enters my system in the first place, and pressure is put on the sending systems’ upstream providers to clean up their act when users complain that their eMail is blocked.
“Clueless” is the word I’d use to describe you because spammers
regularly forge Received SMTP headers. If SpamCop.Net believed every
Rececived SMTP header it found, then I wouldn’t use it.
You also call it a “false positive” when an entire ISPs netblock is
blacklisted, but I don’t see it this way — to me, if the ISP gets
their entire netblock blacklisted, then there’s obviously a very
serious problem on their systems and the only ones who will truly have
the needed influence to put an end to the spam problem are the paying
customers who don’t like being blacklisted.
I see it as completely justifiable to blacklist an ISPs entire
netblocks after they’ve demonstrated that they don’t take the spam
problem seriously, because they 1., don’t terminate spammers (ignoring
abuse reports may be part of the problem), and 2., are more likely to
acquire additional spammers as customers (ISPs who take the spam
problem seriously tend to be far less attractive to spammers).