Before I dive into this discussion, I think we can all agree that spam sucks and we all hate spam. Getting bombarded with Viagra, porn, Nigerian 419 scams and utter garbage email on a consistent daily basis is a hassle and nothing more than a pain in the ass. Most estimates of the global spam being sent is somewhere in the 80%-90% range. This means that 8 or 9 out of every 10 emails sent worldwide are nothing more than garbage, junk or spam. Emails sent to lure you into download a virus, give your bank account info away at a fake banking website or an attempt to sell you something through a barrage of email received on a daily basis. Stopping the constant influx of spam is extremely important, but at what cost?
What is an Email Blacklist?
An email blacklist is usually either DNS or Domain based. The principle and how it works is quite simple. When an email is sent, the receiving email server queries a real-time database that uses predefined criteria to determine if the sending IP address or domain name is responsible for sending email that is unsolicited or considered spam. If the IP address or domain are listed in the blacklist, the recipients email server rejects any incoming email or simply refuses the connection and attempted delivery of the email from the blacklisted server.
How did my email server end up on a Blacklist?
That’s a very good question and doesn’t always have a logical answer. It could be due to an unknown virus or bot infection that’s sending spam from your server or has turned your server into an open relay for spam to be relayed through it. If you’re on a shared server, it could be one of your neighbors who’s not playing by the rules. They could be sending junk emails from your shared IP and you’re simply caught up in the mess of your idiot neighbor who decided to send spammy promotional emails from a corporate email server. You could be listed for actually being a spammer, it could all be a big mistake or a minor error. If you’re sending promotional or transactional emails and generating complaints (people clicking the spam button) or forwarding your emails to Spamcop could also be an easy way to end up on a blacklist. If you go from low sending volume to high sending volume, this is another way to get yourself listed. There is also the possibility that someone who uses an IP address that is near your IP address is sending spam. When the Blacklister decided to block an IP Range, your IP address got caught in the IP range listed. This usually sucks and there isn’t much you can do about it other than dealing with the problem. As you can plainly see, there are a number of really good ways to get blacklisted. So the question becomes; Now What?
How to get delisted from a Blacklist.
Sometimes a much easier question asked than answered. Below are a few, quick simple things you can do without thinking too hard.
Once you’ve figured out that you’re on an email blacklist and why, the next step is to get delisted. Sometimes you don’t have to lift a finger, the listing will automatically drop off after a few days. Sometimes it takes a little more work and you have to go to a website, enter your IP or domain and tick a box that you swear you’ll never spam again and they’ll remove you. Then there are some other blacklists where you have to send an email to them or fill out a form on their website. Sometimes you’ll receive a response and other times you won’t. Sometimes you’ll be removed and other times you won’t.
Understanding Email Blacklists and who you’re dealing with
In a world of hundreds of different email blacklists, which are also known as “block lists”, the majority are worthless, unimportant and simply don’t matter. Only a very few matter, in the big scheme of things, if you ever get listed. Let’s take a look at one of those Blacklists – Spamhaus, so we can understand how they operate and what to do if you get caught in their web.
Who is Spamhaus and how do they operate?
According to their website, Spamhaus is a non-profit based in Switzerland and the UK, who provides DNS based spam blocking services to ISPs as well as private companies worldwide. They claim to have a staff of 38 in 10 countries. They claim to be protecting 1.9 Billion user’s mailboxes.
Spamhaus and their Nonsensical de facto Obligation
Spamhaus believes that they somehow control the flow of email and whose email is accepted or rejected, based on their rules, regulations and decisions. A large percentage of online marketers find Spamhaus’s actions extremely troubling. While there is no legal requirement or obligation to use a double opt-in procedure, Spamhaus’s rules mandate a de facto obligation to use it. If you don’t, they can simply list your IP address or block of IP addresses in their database. This will then cause your email to be rejected by the majority of ISP’s who use Spamhaus’s DNS based blocking services. What recourse do you have? NONE.
Dealing with Spamhaus
Absent any backlash from major ISP’s, a huge outcry from legitimate marketers, a court ruling or legislation that forces Spamhaus to change it’s ways, Spamhaus will likely remain the Dictator of Blacklists and continue to force their requirements down the throats of marketers worldwide. Without oversight, they’ll continue to effect innocent parties by dictating who can send emails and who can’t. Spamhaus has been sued, numerous times, for a multitude of claims, including defamation and tortuous interference. If you read Spamhaus’s website, they attempt to provide legal advice to discourage anyone from suing them. This is actually pretty funny – they’re providing legal advice to anyone considering suing them.
Spamhaus has No Oversight
Spamhaus does what Spamhaus wants and answers to no one. They have crowned themselves judge, jury and executioner. There is no appeal process – What they say goes and there’s nothing you can do about it. Why? Because they simply stop responding to your emails once they have made up their mind – while providing no proof whatsoever. Why? Because they don’t have to.
If Spamhaus continues blocking legitimate marketer emails for failing to play by Spamhaus’s rules, the likelihood that Spamhaus will face new lawsuits in the future, where its methods will be challenged, is extremely probable. Spamhaus’s actions combined with its market power in the United States could also subject it to antitrust claims. Beyond legislative action or litigation, email marketers caught in Spamhaus’s web need to follow the complex and time consuming process to be removed from their Blacklist. Although, as stated above, this isn’t always possible.
Getting around the Spamhaus Blacklist
If you’ve tried contacting Spamhaus through the normal channels and find yourself sucking wind with no response from the Blacklisters and your still on their IP Blacklist, known as the SBL, here’s what you need to do. If you maintain and manage your own corporate email server, getting around Spamhaus’s SBL Blacklist is quite easy. Use a third party relay service such as Google or Microsoft. It’s quite easy to setup and you can be assured that Spamhaus isn’t stupid enough to block Google or Microsoft, just to block you. (Think Again – In 2010 one of the geniuses at Spamhaus blocked some Google and Gmail IP addresses).
Closing thoughts on Blacklists
While I believe blacklists in general are a good thing and the use of blacklists can benefit everyone, I believe there needs to be a standardized delisting process and oversight. Blacklists can be very effective, especially when they are run efficiently and using a standard set of rules. When there is no oversight or a detailed process, to get an erroneous listing removed or a way to escalate a mistake, this increasingly deteriorates the entire process and makes the blacklist as a whole, ineffective. Is it better to let a little more spam through versus blocking a legitimate email sender, when it affects their livelihood or business?
Full Disclosure and my personal disdain for Spamhaus
On June 10, 2015 we received a notice from Spamhaus and one of our carriers that a /24 (256 IP addresses) we controlled was listed in the Spamhaus SBL. We found this somewhat interesting since this /24 was never used to send email, we never received a single complaint regarding this /24 and only 15 of the 256 IP addresses in the entire IP block were ever used.
We followed the steps through Spamhaus’s website to have the erroneous listing removed and were then notified a few days later that we were added to the Spamhaus Rokso list (Register of Known Spam Operations) and associated with an unknown and unrelated company that appeared to be out of business. Spamhaus also notified us that an additional /22 (1024 IP Addresses) we controlled were now listed by them in the SBL. They also decided to list a /28 (16 IP Addresses) which were our office IP’s, and included our corporate email server. Beyond this they then added our corporate domain as well as roughly 30 other domains we owned or controlled to their DBL (Domain Black List). WHY? Really good question!
As we tried, in vain, to have this error corrected, which we didn’t think would be a big deal, we were sorely mistaken. While Spamhaus wasn’t contending that we sent spam or even sent commercial or promotional email campaigns, they never even addressed any of our questions or listing concerns. They simply continued to add to the listing and try to tighten the screws. The only definite conclusion they provided is that they; did not approve of email list cleaning or email validation services. Just to be sure I wasn’t mistaken or misunderstood their contention about not sending spam, I sent three follow up emails to them but never received a response to any of them. It got to the point where I needed our attorney to send them an email about removing the Rokso listing, which they did after receiving his email. Spamhaus stated in their response; “We removed the Rokso listing because we did not have enough proof that both companies were the same”. Are you fucking kidding me? Sure let’s hang the murderer before we have a trial. If we make a mistake, Oh Well. As a follow up, the original Rokso listing that we were associated with on the Spamhaus website is no longer listed.
While Spamhaus has been involved with a few lawsuits over the years, I believe they have dodged a few bullets because the plaintiffs in those lawsuits did not fully prepare or realize what it was going to take to get the job done.
While I can’t speak to specifics, my crystal ball tells me that a smart plaintiff, an antitrust claim, a claim for damages and a group of intelligent attorneys could likely put an end to the Naziesque mentality that Spamhaus condones, as well as put an end to their unmonitored abuse once and for all.