It should come as no surprise that I hate spam as much as the next guy. I run my own FreeBSD-based mail server for my personal mail and despite my best attempts, more and more unwanted mail gets by my filters (SpamAssassin, GreetPause, personal block lists, etc). It has been tempting as of late to start using DNS based block lists such as SORBS, Spamhaus, SpamCop, etc. but I keep falling back to not wanting to let others decide who can send me mail and who can’t.
This fear is not based solely on paranoia. The Sendmail, Inc. mail servers have been blocked multiple times by SpamCop (ironically, SpamCop is owned by a competitor). Obviously Sendmail is not a spammer. Both times, they had blocked Sendmail due to auto-responders which sent a single message to one of their traps. Clearly, someone forged mail to our `jobs’ address from one of these traps. Auto-responders that let a job applicant know their resume has been received are not the problem, spam is, yet we were penalized. It is this type of draconian thinking (and the amazingly difficult process of getting off a block list) that has me shying away from using them. In my mind, this is throwing the baby away with the bath water, it is not solving the spam problem.
I do applaud some of the other block list sources which have started to categorize the listings as that provides me with an opportunity to decide which lists I want to participate in. For example, SORBS provides a variety of different lists for different purposes. This was tempting until I read how to get delisted. Once again, too many innocent organizations can be caught up in their nets simply for having IP addresses “near” bad sites or using a colocation facility that has had bad customers in the past. These innocent bystanders have no real recourse (except in some cases to pay to be delisted). Once again, how does punishing the innocent solve the spam problem?
All in all, whether by quality or practices, I haven’t found a block list that I could trust to control who can contact me. Feel free to add a comment to this post if I am overlooking the perfect DNS block list.
Instead, I look forward to a day when domain-based sender authentication (e.g., DKIM) is widely deployed and there is an open and collaborative domain-based sender reputation system which can be used by each individual site to decide who to accept mail from. Unfortunately, neither is in place yet. DKIM is only starting to get deployed and most of the industry is still stuck on IP address reputation. I’ll discuss why domain-based reputation is needed in my next post.
