Why you shouldn’t rely on a single anti-spam blacklist

We got a couple of messages today from customers who sent e-mail to other people that was rejected — they got an error saying that all our mail servers are listed on the “ReputationAuthority anti-spam blacklist”.

Yikes! We take things like that very seriously — we go to great lengths (some would say extreme lengths) to make sure this doesn’t happen. So we investigated… and it turns out that the ReputationAuthority blacklist actually has a technical problem that’s making it reject all mail from all servers, not just from ours (see complaints on Twitter [1, 2] and elsewhere). People who use that blacklist to block spam aren’t getting any mail at all.

We’re always surprised when we see this kind of thing (it’s not uncommon). Completely trusting blacklists provided by one single organization is dangerous; it will come back to bite you.

If you run your own mail server, it’s much safer to consult several blacklists and block mail only when multiple blacklists (or other criteria) agree. In addition, it makes sense to check each blacklist occasionally to ensure that it’s not returning “false positives”.

For the spam filtering we provide to our customers, we use a large number of blacklists, but for the most part, it takes “hits” from several of them to block mail. We don’t worry about an obscure blacklist causing problems like this.

For blacklists that we weight heavily, such as spamhaus.org, our systems constantly check whether several popular domain names are in the blacklist. If, for example, “google.com” shows as being listed in a SURBL blacklist, or one of our own IP addresses that never sends mail is listed at spamhaus.org, that indicates a serious problem, and we’d immediately and automatically stop using the blacklist. (We also pay several blacklists for a direct “feed” to ensure that we’re getting the most accurate data instead of using their public DNS service.)

If the systems using the ReputationAuthority blacklist to filter mail were checking this kind of thing, they wouldn’t be blocking all mail. If you’re using your own anti-spam filtering system that relies on blacklists, make sure that it handles this problem.

Again, our own hosting customers who rely on our filters don’t need to worry about it, though. We’ve got it covered.