We can’t live without e-mail. Even though the Internet standards warn us not to depend on any given e-mail message ever arriving at its destination, every business executive knows how important it is for the mail to get there. But if your mail server’s IP address is stuck in a blacklist—a list of addresses or domains identifying known spammers—your e-mail newsletters and individual e-mail messages will be blocked long before they get to their recipients.
Blacklists are distributed in a format which can be easily queried by Internet applications, particularly e-mail servers. Many (if not most) e-mail administrators use blacklists (sometimes called RBLs, for Real-time Blackhole Lists) as one step in their process of removing spam before it ever reaches an end user. If you discover that your site or e-mail server is included—even if it was all a terrible, terrible mistake—you will discover just how painful and time-consuming it is to get yourself off the list. And in the meantime, your e-mail traffic is cut off.
Nobody really wants this to happen—except, of course, to actual spammers. But it does happen, even to well-meaning people. Fortunately, ignorance is curable. Here are several common ways that companies find themselves blacklisted.
1. Buy an e-mail list from any random provider.
Marketers (and content-generators such as CIO.com! Did I mention we have some great newsletters of our own?) understandably want to disseminate the company’s information to as wide an audience as possible, and as quickly as possible. One common way to extend a company’s reach (a leftover of the print catalog era, but less effective online) is to buy a mailing list of qualified buyers or people who have expressed interest in similar services.
E-mail is expected to be opt-in; that is, someone must explicitly give permission to receive unsolicited commercial mail from a particular sender. Almost by definition, anyone who sells a list of e-mail addresses is distributing those IDs without the users’ consent. Permission cannot be bought, sold, bartered or assumed; it must be acquired directly from the only person who can give it: the owner of an e-mail address. Savvy spam-fighters intentionally sign up for some lists with “spam-trap” IDs just to see if the e-mail ID will be abused.
If you’re thinking of buying a list, you’d better be sure that the IDs were acquired properly—which is rare. (The SpamHaus website tells people to never buy a list of e-mail addresses for bulk distribution.) Otherwise: BAM! Straight shot to a blacklist.
2. Don’t follow industry best practices for mailing lists.
Any newsletter you send should use confirmed opt-in (sometimes called closed-loop opt-in) to ensure that the person who signed up is the person to whom the e-mail will be sent. This is a biggie. If your newsletter doesn’t follow this rule and you get onto a blacklist for any reason, you won’t be removed from the list until the confirmed opt-in issue is addressed.
Make it easy to unsubscribe from a mailing list. Even when you do make it a one-click action, entirely too many people fail to unsubscribe and instead stab angrily at the This Is Spam button in their e-mail client. Big e-mail ISPs like Yahoo Mail won’t block your newsletter for a single spam report, nor will they list you in an RBL because of one lazy newsletter recipient, but you don’t want to get anywhere close to the line.
Another express ticket to the blacklists is to repurpose addresses. “Don’t store a user’s e-mail address for one reason and then send them bulk e-mail for a completely different reason,” explains Richi Jennings, lead analyst, e-mail security practice for Ferris Research. For example, a hosted anti-spam service allegedly mailed its customers’ technical contacts a marketing message. When customers signed up for the service, they provided a technical contact for messages about service outages, trouble-ticket updates, etc. “The technical contact has a clear expectation of the types of messages they’ll receive, and that doesn’t include marketing,” says Jennings.
3. Let anyone use content-sharing features, willy-nilly.
Many sites (yes, including CIO.com) encourage readers to participate in some way. You might comment on an article (we writers do appreciate it, not that I’m hinting or anything), or e-mail the article link to a friend, or (with modern social networking tools) create your own page.
Those are great. But blog comments can generate comment spam, which points right back at your domain. Many sites’ “e-mail this article” feature is malformed (for example, spoofing the “from” address), leading to bounce messages if not the land of blacklists. And so on.
Catherine Hampton Jefferson from SpamBouncer, explains, “If you’re a news site, for example, and want to let people forward a news story to someone, you should restrict them to sending it to a small number of e-mail addresses. I’d also check the IP they’re connecting from against the CBL and perhaps other carefully selected blocklists.”
4. Use a dubious service provider.
It’s astonishing how often companies choose an ISP or Web hosting service without doing due diligence. Before you sign up, find out how often the company was blacklisted in the last year. Discover if they’re known to route hijacked network space, or if they have a history of spam/abuse support. (One recommended resource for this is SenderScore.)
This is especially important, adds Jefferson, when companies use a shared mail server or host a website on shared hosting. “If you are [doing so], and one of your ‘neighbors’ spams, you can end up listed,” she points out. “It stinks, but if you share the same IP with a spammer, IP-based blocklists have the unpalatable choice of listing the IP, and thereby blocking innocent bystanders as well as the spammer(s), or not listing the IP and letting the spammer spam away.”
5. Piss off your technically knowledgeable staff.
If someone is on the inside, and they have been nodding along at each of the points I’ve already made, it’s not all that difficult for them to get a company blacklisted. (I’ll avoid examples here, because I don’t want to make the job too easy for any disgruntled employees who might be reading this article.)
I’m sure that you treat all your employees well, that they are qualified for their jobs and that you have trained them on acceptable use policies for e-mail (you do have them, don’t you? Please tell me you do). Yes, sure you treat every employee with unrelenting positive regard and gobs of respect—and I am the Queen of the May.
Someone, somewhere in your organization will eventually decide that he is being pushed to the limit—and then you’ll end up in a situation like the City of San Francisco’s rogue network administrator. What technology do you have in place to make it difficult (it’ll never be impossible) for an upset insider to give his manager a Very Bad Day?
6. Run a sloppy mail server.
Mail servers that don’t follow the rules have a myriad of ways to get their feet caught in a spam-trap, some of which were enumerated in other CIO.com articles. Some of them are technical, under the purview of your e-mail admin, such as “The HELO/EHLO string should ideally match the full domain name.”
Bottom line, here: follow the standards.
For more down-and-dirty details, see An Introduction to E-mail Management, An Introduction to E-mail Technology and Getting Clueful: Five Things You Should Know About Fighting Spam.
7. Ignore the security on devices which may be compromised by spambots.
Your e-mail server may be pristine in its behavior, but if one of your end-user’s computers has been taken over by a virus which is sending spam, your domain is still responsible for polluting the Internet. Pay attention to software installed on your desktops and servers, either by staff (using social engineering or deliberate malfeasance) or when users visit compromised websites.
Don’t cast your hairy eyeball only at standalone PCs. One e-mail admin told me he once flagged an open relay that turned out to be an electron microscope at a Belgian university. HP printers have been used as zero-day warez (pirated software) FTP servers. The more gizmos that are connected to the Internet, the greater the possible venues for spam and viruses. (Doesn’t that thought just brighten your day?)
8. If you do land on a blacklist, threaten to sue and make angry demands.
It is possible to find your site on a blacklist because of an innocent mistake. But when you go to resolve the situation, assume that it was your error or ignorance that caused the problem, not someone else’s fault. Do not threaten. You may find yourself on the “permanent block list” with no chance to be removed. One e-mail admin says he blacklists for life anyone who tries to sue, including legal firms handling the cases. “Since they support Internet abuse, they really don’t need to have the privilege of using it,” he adds.
Matthias Leisi, project leader at dnswl.org, a “whitelist” of known legitimate e-mail servers, says, “We once had a guy threatening to sue us at dnswl.org if we would not immediately list all his IP addresses with highest trust score. When we told him that this is not the way we operate, he went into ALL CAPS MODE, telling us what a bunch of incompetent losers we are, and that he still insists to be listed, “or else…”.
In point of fact, there is no “or else.” Like a baseball player who disagrees with an umpire: the umpire may be wrong, but his decision is final. If you argue, you’ll just be thrown out of the game.