While spam blacklists offer some protection from spammers, there are some that ban third party legitimate IP addresses - "collateral damage" - in the hopes of prompting them to activism. We wound up on the flip-side of the coin today as anti-spam blacklist SPEWS has level 2 blacklisted an entire range of our host's (NAC.net) IP addresses, including many used by our mail-server. -

You probably won't find a more vocal forum community of anti-spammers than you'll find here at Broadband Reports. Now and again, users in our stopping-spam and spam and scam busters forums have been known to even hunt down spammers and shut them down via sheer determination.

Yet a range of our IP addresses has been level 2 blacklisted all the same. What's worse, is that when dealing with SPEWS, their instructions for getting removed from their blacklist reads like a ransom note from amateur kidnappers. In the end trying to get unlisted can sometimes prove to be an exercise in futility, since the group is only available via newsgroup. Pop your head into the news.admin.net-abuse.email, and you'll be told (among insults and clever references to Godwin's Law) what you'll need to do.

Fundamentally, it's almost a form of cyber-extortion; your IP addresses are held hostage so you'll complain to your host. While that method may work (as it's likely to do once we pressure our host to boot questionable operations), the ends do not justify the means. The majority of blacklists do not try to drive host customers to activism by blacklisting non-spamming IP addresses, and there is no hard data to support claims of one tactic being more successful than any other.

The end result with the SPEWS approach is what you'll get using automatic weapons against a cockroach infested china shop. Entire swaths of IP addresses are left temporarily useless, while the spammers scurry on to more fertile grounds. Left in their wake are frustrated users - forced to reason with semi-anonymous newgroup participants that are so jaded they're incapable of real discussion - and ISP's who are often equally stubborn.

Even if you do manage to convince your ISP to boot spammers (or you yourself shut down the spammers as a host), you are treated to an absence of professionalism while you wait. If you didn't get bombarded by juvenile and condescending attacks in the NANAE newsgroup, the FAQ is certain to leave you truly wanting to cooperate: "You will probably have to wait a while, both while SPEWS makes sure you really did shut down those customers, and to give you a bit of time to think about how you got in SPEWS and how to stay out in the future." Time to think? This is a professional operation?

SPEWS started out as a simple group of concerned administrators, and quickly increased their leverage by sharing their lists with a variety of vendors and administrators. It wasn't long before "collateral damage" became a hot-topic, and the group's inability to manage the list efficiently became a common complaint from those stuck in the middle. Humor site Something Awful's run-in with SPEWS is only one of the more public of such complaints.

In retaliation for both the success and failure of blacklists, Spammers and non-spammers alike have been launching DDOS attacks against the lists for much of the past year. SPEWS managed to survive these attacks whereas groups like Osirisoft and Monkeys.com decided that shutting down was a better option.

This isn't to say blacklists fail to function properly. In the opinion of at least one of our site admins, Ordb.org is a perfect example of a fundamentally sound blacklist. The group blacklists open relays, and has a clear process of rechecking and delisting - providing public evidence in the process. Anyone who chooses to use a blacklist should first investigate that the data they are being fed is accurate, and the provider of that data can be held accountable. Quality blacklists should be operated within view of the public eye, with a very clear - and very public - method of investigation to resolve collateral damage.

Also, when configuring a mail server to deny access based on blacklists, admins should make sure there is feedback provided as to why the access was denied (preferably with a url pointing back to the specific blacklist). ISP's should look into using open source software - like SpamAssassin - that combines several tried and true methods (blacklist, key words, bayesian filtering) and is fully customizable on a user to user basis.

While there's little hard data to suggest SPEWS is any more effective than other solution combinations, there's plenty of evidence that their approach is considerably more messy.