Why you shouldn’t rely on a single anti-spam “blocklist”

We got a couple of messages today from customers who sent e-mail to other people that was rejected — they got an error saying that all our mail servers are listed on the “ReputationAuthority” anti-spam blocklist.

Yikes! We take things like that very seriously — we go to great lengths (some would say extreme lengths) to make sure this doesn’t happen. So we investigated… and it turns out that the ReputationAuthority list actually has a technical problem that’s making it reject all mail from all servers, not just from ours (see complaints on Twitter [1, 2] and elsewhere). People who use that list to block spam aren’t getting any mail at all.

We’re always surprised when we see this kind of thing (it’s not uncommon). Completely trusting lists provided by one single organization is dangerous; it will come back to bite you.

If you run your own mail server, it’s much safer to consult several lists and block mail only when multiple lists (or other criteria) agree. In addition, it makes sense to check each list occasionally to ensure that it’s not returning “false positives”.

For the spam filtering we provide to our customers, we use a large number of lists, but for the most part, it takes “hits” from several of them to block mail. We don’t worry about an obscure list causing problems like this.

For lists that we weight heavily, such as spamhaus.org, our systems constantly check whether several popular domain names are in the list. If, for example, “google.com” shows as being listed in a SURBL list, or one of our own IP addresses that never sends mail is listed at spamhaus.org, that indicates a serious problem, and we’d immediately and automatically stop using the list. (We also pay several lists for a direct “feed” to ensure that we’re getting the most accurate data instead of using their public DNS service.)

If the systems using the ReputationAuthority list to filter mail were checking this kind of thing, they wouldn’t be blocking all mail. If you’re using your own anti-spam filtering system that relies on lists, make sure that it handles this problem.

Again, our own hosting customers who rely on our filters don’t need to worry about it, though. We’ve got it covered.