Sidebar: The Dark Side of Blacklisting

Computerworld - When Chris Brown was working at Tivoli Software several years ago, the company took advantage of a black-hole list called the Open Relay Blocking System (ORBS) to fight spam. The list was eventually shut down, but not before Brown became disillusioned with the dark side of blacklists.
The reason for the disillusionment, he says, is that companies whose IP addresses were put on the list but were innocent of wrongdoing found it extremely difficult to get off the list. IP addresses typically get on the list when a blacklist's owners test and discover open-relay mail servers -- servers that are configured to relay mail on behalf of any sender -- or when mail administrators submit the addresses of mail servers they deem to be spam sources.
"At Tivoli, we toyed with blacklists, but we had numerous problems with customers trying to contact us for support and getting blocked, and that ended our foray into black-hole lists," says Brown, now a senior Unix systems administrator at Vignette Corp., a portal and content management provider in Austin.
The problem, he says, is that people can be overly aggressive when adding addresses to the system. For example, if a large company has a single misconfigured server reported to be an open relay, and that gets placed on a blacklist, its entire mail domain can be blocked, even if the company is entirely innocent of spam activity. Further, domains can get added after just a few reports of abuse -- a problem if someone is malicious or merely has incorrect information and reports it to a poorly managed list.
"Some blacklists have gotten into trouble because anyone can essentially report anyone else," says Matthew Berk, an analyst at Jupiter Research in New York. "The problem with this kind of community-based approach is that there can be network vigilanteeism. While it's a standard way of identifying people who've exhibited bad Internet behavior, getting off a blacklist is a nightmare."
Good blacklists, says Brown, share a number of traits. First, they establish a consistent set of criteria for putting an IP address on the list. Second, they rigorously test and retest suspect servers to verify the integrity of their databases. And third, they provide a process for domains to either prove they're on a list incorrectly or to correct what got them there in the beginning so they can be removed from it.
"Some services, such as ORBS, made it very difficult to get off the list. They also did a very poor job of retesting.There would be many servers that administrators had corrected that could not get off the list, and those companies would have trouble getting mail to customers, vendors or partners who used the ORBS lists," says Brown.
Today, he notes, blacklists are more trustworthy, and Vignette takes advantage of the ones configured in the PureMessage antispam software from ActiveState Corp. in Vancouver, British Columbia. "We can either enable or disable the RBL [real-time black-hole list] feature for various lists within PureMessage, and the product also allows us to subscribe to other lists as we see fit."
Gilhooly is a freelance writer in Falmouth, Maine. You can reach her at kymg@maine.rr.com.