[SageRaven]

How disappointing. I thought it was going to be the story of a fed-up email admin breaking down and DoS'ing one of the scourges of the internet.

Blacklists are pure evil, and nothing will ever change my opinion of that. They cause far more problems than they solve. Granted, it's usually by idiot, over-zealous mail admins who block on merely being listed anywhere, rather than by weighted score.

[dne]

Blacklists are the only reason e-mail is still usable.

[SageRaven]

I thought it was statistical filtering and crowd-sourced spam tagging (like Google's spam filter). I maintain a mail server for a client and Spam Assassin (edit: and greylisting) works well enough without blacklists enabled. Throw in a couple of extra Bayesian filters via procmail, and you're doing about as well as Google does.

[danielweber]

Greylists are murder on businesses that depend on receiving mail from new people.

I see SpamHaus as akin to a the Microsoft monopoly in the 90's. If your interests are aligned with them, great. And for most people they do a great job. But there a lots of small businesses who get caught up and nearly crushed. Because a listing on a blacklist can be murder for a business that depends on communicating with people over email.

[ios84dev]

Why are graylists that horrible? All it does is require the sending server to retry 5 minutes later; I don't see how that would have any impact on a business unless they are in the habit of being on the phone with new customers and asking them to send an email at the same time.

[danielweber]

Assuming the sending server does that. Maybe it takes a few hours. Maybe it doesn't. Small businesses can be a mess, and you can't say "well, your customers suck" when the client complains about how greylisting is working for him.

[bigiain]

I've seen many poorly written web form handlers that try to do SMTP themselves, and that clearly don't ever attempt to retry graylisted failures...

[vidarh]

Why in the world would greylists be "murder" on businesses? We use 10 minute greylisting, and I occasionally check the logs and it does not seem to ever cause us to lose e-mails from anything but spammers.

[codexon]

I hate spam as much as anyone but blacklists have gotten out of hand.

I rented a server, and when I decided to use it for sending emails, I found out the IPs were blacklisted. I tried appealing to Microsoft and they claimed the IP was blacklisted after I rented it. This was ridiculous since I had just installed Postfix for a few days and barely sent any emails out.

So I decided to relay all my emails to another server and haven't had any problems with it for a year except now I am stuck with a server with blacklisted IPs.

Some messages still randomly get blocked by Hotmail while Gmail happily accepts them. This whole email delivery problem is a mess and the fact that people are paying to have someone else send their emails is proof of how bad Email is failing.

[sdkmvx]

I run a mail server with OpenBSD's spamd[1] with greylisting and it works well enough. Most spam is not sent by SMTP compliant hosts. Blacklisting makes it particularly hard to recover IPs that have ever been compromised and unfairly hurts good hosts on otherwise untrustworthy (like some home ISPs) networks.

[1] http://www.openbsd.org/spamd/

[vidarh]

Greylisting is what makes the biggest difference for us too.

[jff]

Agreed. If I had known at the time that there was a DDoS against Spamhaus, I'd have probably joined in against the self-righteous pricks. Block my home server, will you?

[freehunter]

As far as I know, Spamhaus doesn't block anything. They just maintain a list of IPs they see spam-like activity coming from. The actual blocking is implemented by whoever is using Spamhaus for their blacklist. Your beef is with the admins who block everything based on a single blacklist.

[SageRaven]

That's kinda like saying the MPAA ratings systems is ok because my beef is really with large theater chains that refuse to carry non-rated films. Large, entrenched authorities who provide ratings about [insert noun here] have historically been a problem.

[freehunter]

I believe your analogy is correct, I see no problem with it. Theaters do not have to follow the rating system. There are local theaters that will play unrated films, and film festivals that play unrated films. Likewise, while you can find some ESRB ratings on the Apple App Store, Apple doesn't really have to pay attention to those and are free to set their own standards. If a theater chain refuses to play a film because it is unrated, that's not the MPAA's fault. And I never thought I would be defending the MPAA...

Sure, large and entrenched authorities pose risks. There's not much that can be done about that as long as they're large and entrenched. The best way to ensure their power stays in check is to try to have their customers put pressure on them to clean up their act. And the end-user (you and me) is not their customer. We are customers of the businesses and organizations implementing their block lists. I understand your frustration, and as security professional I have my own beef with Spamhaus ratings, but the answer to that problem lies in comparing their ratings with those of other organizations and a bit of common sense.