I Hate Spam Blacklists
I hate spam. But I think I hate spam blacklists more. Earlier today, a company that I do a lot of business with had their email server address added to a spam blacklist. Since the email hosting provider I use screens inbound email using that blacklist, nobody from that company can email me until they get de-listed.
That's frustrating because neither I nor any of the employees at the company have any control over it. A mysterious third-party blacklist maintainer makes the decision using whatever criteria they want. I'm confident the company in question doesn't engage in any spamming, so whatever has caused it to be added to the list is clearly an error of some sort.
I've had this happen to mail servers of companies I have run in the past. Often it has been a case of the blacklist provider adding a whole range of IP addresses from an individual hosting company. That's the most egregious approach I can think of, as it clearly penalizes customers with servers that have never engaged in spamming. In another case, one of our servers was assigned a new IP address for the mail server as part of a migration and it turned out that IP address was on one or more blacklists.
So as much as I hate spam, I hate seeing blacklists cause the havoc they do. (And before you tell me I just shouldn't use a provider that uses a blacklist as part of a screening process, it isn't that simple. And more to the point even if I didn't use such a provider, others would. And until blacklist providers operate more in the open and with less of a "guilty until proven innocent" approach, it will still punish too many innocent companies and their employees.)
I've definitely run into this issue before. The company I was working with had legitimate subscriber list that they would occassionaly use to send out announcements. Some of the people on list reported it as spam eventhough they subscribed to the list and there were at least 2 unsubscribe links in every e-mail.
After about 3 days of arguing with the blakclist providers, we finally had our name from the list. So, 2 employees spent 3 days fixing a problem that shouldn't have happened.
Posted by: Ian Muir | Sunday, March 04, 2007 at 12:29 AM
Tough issue. I'm on both sides.
Further to Ian's comment, people report email as spam rather than using opt out because they don't trust the organization sending the mail. That means either the company was misusing its list, or that it had not established a trust relationship, or that the means of capturing subscribers was not a verified opt in. All blacklisters honor verified opt in lists and you will not be blacklisted if you can prove that your list is pure.
Moreover, the reason we don't trust emailers is that we've been conditioned to expect to be added to more spam lists if any links in an unwanted email are clicked. So, while I sympathize with the problems caused by the blacklisting, the company he was with probably bears some of the blame. Unfortunately spam has become such a severe problem, with virtually no effective regulation, that companies are taking extreme measures to protect their bandwidth, their servers from infection by worms and viruses, and their employees' time.
On the other hand, I also hate blacklists, but not because they are inherently bad, but because most companies that subscribe to blacklists misuse them. If the assumption is that anything on a blacklist is bad, or if primitive scoring algorithms that assign extremely high values to presence on a blacklist without other clear indicators are used, then they are shooting themselves in the foot because they are blocking tons of legitimate business email.
At one company I worked with, for example, the CFO had to remove all filtering from his account because a) the accountancy the company used to pay their UK employees couldn't send payroll information to him, b) most consultants the company hired were on one or another blacklist and c) he couldn't get e-bills from publishers that ran their ads because most of them abused their subscriber lists and had been blacklisted. At the same company, I could not access the internal servers from a VPN account because my home IP address was in a range tagged on one of the blacklists, which also meant that I had to be whitelisted to send email to other employees.
Indiscriminate blocking is a lazy approach used by too many IT departments who snow other management into believing that it's their way or no way. There are better practices for using them, it's just that they are rarely employed.
Regardless of all that, blacklists are a poor bandaid solution that shouldn't exist. If we criminalized spamming and enacted laws with real teeth to prosecute, spam could be virtually eliminated within a few years.
Harsh? Not really. We simply refuse to recognize spamming for what it is. If someone dumps garbage in my yard, I can prosecute. If someone stands in my driveway and blocks my car from entering, or moves out of the way but drags a key across the car as I enter, they'd be charged with multiple offenses. If someone siphons gas from my car, or taps into the power line before the meter, they are recognized as the thieves they are.
Spammers are stealing expensive resources and bandwidth that the rest of us pay for. My internet account and email address belongs to me -- I pay a hefty price for it and consider it my private property. So in addition to being thieves, hijackers, pirates, trespassers and guilty of property damage, lost time, and cost me otherwise unnecessary security overhead (in companies, this can mean several headcount more than necessary), they are also public nuisances.
So, in reality you have only two choices. Put up with the imperfect solution of blacklisting, or fight for laws with teeth to eliminate the need for blacklists.
Posted by: Paul | Wednesday, June 20, 2007 at 10:03 PM
Paul, I appreciate your thoughtful comments, but disagree with much of what you wrote. The company in question doesn't even maintain marketing lists (it is a consulting firm that "markets" by word of mouth only). And too often the blacklist organizations won't even share specific information about the "evidence" against the IP address in question.
And while I agree that spam is a serious costly issue, I don't believe that more laws are the answer. Unfortunately, spam is often in the eye of the beholder and it is difficult to craft a law that accounts properly for every possible scenario. If I email all of the parents on my son's baseball team, is that spam if they haven't "opted in"? And certainly companies with a business relationship with a person ought to be exempt, but what qualifies? Must it be a present customer? How about a previous one? Or someone who requested info at one point?
Even if you could reach an appropriate definition that dealt with all possible permutations, spammers are the type of people who don't have much regard for the law and ethics. Spam is already against the law (at least the kinds that are most prolific today). But it is hard to catch the individuals and many of them operate overseas anyway.
The real solution, of course, is for people to STOP RESPONDING TO SPAM. By this I mean simply: don't spend money with spammers. The only reason spam exists is because it is profitable. Spammers don't do it for the novelty, they do it for the money. As long as people still buy from spammers, they will continue to exist, no matter what the laws say.
Posted by: Chip Griffin | Wednesday, June 20, 2007 at 10:14 PM