Shelley has voiced her opinion on the evils of blacklists many times, like this:
Which leads to blacklisting. Blacklisting is going to grow as a problem, which means huge blocks of IP addresses are going to get into SPEWS and others lists like this, tainting them so they can't be used again. IP addressing is enough of a problem now without this.(Do you know that once an IP is 'dead' to a spammer, its released back for some poor old soul to use for their legitimate site? Do you know how long it can take to clear an IP address from all the lists?)
and so have I in other people's comments but, until now, not here. Blacklists are evil. They punish the innocent as well as the guilty (spammers). Of the lot I personally think thatSPEWS, is the worst because it really doesn't provide a timely and effective way for innocents to get their IP addresses removed from the list. Here's an example. For about the last year, until just last week, I was unable to email Shelley directly because at some point in the past the IP address I have was used for about a week (the time it took us to catch him) and a large range of my company's IP addresses ended up in SPEWS. Even though that IP was only used for SPAM for a week or less it took over a year to get that block of IPs out of SPEWS. In the meantime it cost my company lost sales as customers moved on because their email was getting bounced.
There is no legislation governing these groups, making them behave in a trustworthy and responsible fashion. None. Because they do not "promote" their lists but instead let people find them by word of mouth and use them strictly on a "at your own risk" basis they can not be sued if someone uses their list and business is lost as a result. Want to know how really bad it can/could/has gotten? Here's an interesting article I ran across today:
...what would happen if a trusted DNS blacklist went bad and declared that every IP address in the world belongs to a spammer?Alex El Homsi, the president and CEO of Woburn, Mass.-based Trilog Group Inc., which makes a development platform for Domino programmers, watched that scenario unfold when a list run by Monkeys.com added code that made everyone look like a spammer.
"That was the most obnoxious thing that anyone has done in e-mail history," said El Homsi, who wasn't sure how many of his company's e-mails were lost as a result of the shoddy blacklist. "These guys are just so stupid to just do this."
Now the guy that runs Monkey.com had a good reason for doing that which, if you read the article you'll see, but it illustrates the potential for disastrous consequences should one of the more popular lists such as SPEWS or SPAMHAUS get hacked and such code added. Add to that the many sysadmins who combine blacklists to create their own local version, to speed up scanning, and you have a terrible possibility of mistakes being spread far and wide. As the person goes on to say:
For one, Osterman said, they aren't a very effective way to block spam because they are only successful 5% to 15% of the time. Also, he said, it's easy for legitimate organizations to get blacklisted by mistake, which El Homsi witnessed firsthand."Blacklists need to be updated constantly to make sure that they are accurate and don't contain any false positives," Osterman said.
Osterman said it is particularly easy to inadvertently get blacklisted these days, thanks to new viruses like MyDoom that copy people's IP information and send junk mail under stolen names.
The latter is probably the most compelling reason to abandon blacklists. There are now hundreds of thousands of compromised computers scattered across the globe with trojan backdoors installed on them, courtesy of naive/stupid/uncaring users who open virus laden emails. Those IP addresses are getting added to the blacklists as the hijacker uses the backdoor to send SPAM without the user's knowledge.
Blacklists are just plain bad news for everyone. It's time to move on.
Posted by The Dynamic Driveler at April 12, 2004 10:56 PM