The Skinny on Blacklists

The Spamhaus Project made international headlines recently because of an ongoing legal dustup with Chicago-based direct marketer e360 Insight. As a result, the spotlight is once again on the self-appointed — some say vigilante — anti-spam cops that run blacklists.

E360 Insight sued Spamhaus earlier this year in Illinois federal court claiming the anti-spam service erroneously blacklisted e360’s servers and that the listing caused up to 60% of the marketer’s messages to get blocked. When Spamhaus failed to show up in court to defend itself, the judge issued a default ruling against it for $11.7 million. Following some legal wrangling, the case is set to go to appeal in January.

So who runs these lists? How many blacklists are there? And which ones matter?

Those who’ve been in e-mail marketing for any length of time know about anti-spam blacklists — rosters of IP addresses and domains their maintainers have decided are sources of spam, or unsolicited e-mail. Some e-mail inbox providers use these lists to help screen incoming e-mail for spam. Also, larger inbox providers, such as AOL, Microsoft and Yahoo!, maintain their own blacklists.

What many direct marketers don’t know is that their servers can get listed for reasons other than spamming. Pity the DMer that winds up on the wrong blacklist — say one of The Spamhaus Project’s lists — because that merchant may have serious troubles with e-mail deliverability. And getting off a blacklist can be yet another problem.

There are well over 100 e-mail blacklists, says Deirdre Baird, president and CEO of Phoenix deliverability concern Pivotal Veracity. “Any Joe Blow can start a blacklist.”

However, she says, most of them will have no impact on whether a marketer’s e-mail gets delivered. “Why? Because no major ISP or enterprise is using it.”

One way to determine if a specific blacklist is worth worrying about is whether its maintainers offer evidence and an explanation of what the DMer did that caused the listing. If the blacklister is responsible it’ll do this, Baird says.

A serious blacklister also will provide “some means by which to plead your case,” she adds. “If you go to its site and there are no remediation provisions or mechanisms for providing evidence that you’re not spamming, don’t bother going a step further. First, you’re not likely to ever get off that blacklist even if you can find someone to speak to but, more importantly, a lack of remediation mechanisms is also a clear sign that it is not a professional outlet. And it’s very unlikely major ISPs are using the list.”

It’s also important to remember that a DMer can operate completely in compliance with the Can Spam Act of 2003 and still get blacklisted. Anti-spammers refer to U.S. anti-spam law as the “You Can Spam Act of 2003.” The reason: The law is opt-out based. A marketer can legally send unsolicited e-mail until the recipient asks not to receive any more messages.

Therefore, DMers that follow Can Spam to the letter by, for example, sending e-mail to people who haven’t given permission, but removing them if they ask, do so at their own peril. But blacklist maintainers often make mistakes, and marketers that truly operate on an opt-in basis can plead their case and get their listing removed.

“You should be ready to supply the IP address, the date, the time and the URL of the opt-in page where the customer gave you permission,” Baird says. She adds that recording where and how mail addresses are collected also is a particularly important issue. Direct marketers “collect e-mail addresses online, over the telephone and on direct mail order forms, so it’s critical that they maintain good source data.”

And Baird asserts that any DMer that thinks only public blacklists like Spamhaus will ask for such information is wrong. “If you end up on AOL’s internal blacklist, they’re going to ask for the same information. This isn’t about all these little blacklists. This is about being able to prove you have permission from your customers. It’s good practice and prudent to maintain good source information.”

Many DMers also are under the mistaken impression that blacklists only come into play when an organization is perceived as having been spamming. Not true. Baird says companies get blacklisted because of serious, non-subjective infrastructure issues.

Blacklists such as SORBS (Spam and Open Relay Blocking System) list mail servers that have security flaws, such as open relays that spammers can exploit to flood the Internet with their garbage. According to Baird, “ISPs don’t like to receive mail from those servers because they’re poorly set up, can be hijacked by spammers, and the ISPs risk being flooded by them.”

Another public blacklist that focuses on infrastructure issues that many marketers may not know about is RFC-Ignorant.org. This site lists IP addresses and domains that fail to meet some basic, agreed-upon standards. For example, a domain that doesn’t have a working “postmaster@” address and an “abuse@” address will get listed on RFC-Ignorant.org, as will one that lacks complete contact information in its domain “who-is” record.

“RFC-Ignorant is a group of people who decided to create a blacklist of ISPs and domains that aren’t following some very 101-type rules associated with infrastructure,” Baird says.

Being listed on RFC-Ignorant.org doesn’t necessarily mean the site owner will have problems with e-mail deliverability, but it’s certainly not good to be on it. RFC-Ignorant.org bills itself as “the clearinghouse for sites who think that the rules of the Internet don’t apply to them.” Nothing requires anyone to comply with an RFC (request for comments) rule, copy on the site says.

“However, the ‘cooperative interoperability’ the net has enjoyed is based upon everyone having the same ‘rule book’ and following it,” the home page continues. “A listing here simply implies that a site has chosen not to implement the conditions described in a particular RFC. It is, of course, up to other sites to decide for themselves whether or not they wish to communicate with sites that have not chosen to implement, say, RFC2142, and have a working ‘abuse@domain’ address.”

“The reason you’re supposed to have a postmaster and an abuse address is that the people on the Internet need to be able to reach you if there’s a problem,” says Baird.

Meanwhile, DMers that outsource shouldn’t assume their e-mail service provider is checking all of its IP addresses against the various blacklists. Baird advises e-mail marketers to do this themselves, and do it often. And they can — for free — by typing in their IP addresses at DNSstuff.com. “If you mail from in-house, you probably don’t have that many IPs. Make a habit of checking if your IP is on a blacklist atleast weekly.”

Also, those who outsource e-mail shouldn’t assume their e-mail service provider is monitoring blacklists, she adds. “Ask them which particular blacklists they’re checking and ask for some report to prove it.”

Baird’s final words of advice: “Regardless whether the blacklist is big or small, if the reason [you’re being listed] is infrastructure-related, it’s important to fix the problem. If it’s a top-tier blacklist such as Spamhaus, SORBS or Spamcop and you’re listed for spam-related reasons, it’s important to at least review the evidence they provide and attempt to get delisted.”

Some Important Blacklists