In the war against spam, your friends can sometimes turn out to be your enemies -- especially if you're relying on blacklists.
Some organizations and individuals maintain DNS blacklists of the Internet IP addresses belonging to computers that are known to send junk e-mail, or spam. These lists are posted on the Web, and e-mail administrators can configure their companies' mail routers to check incoming messages against those lists and filter out any matches.
But what would happen if a trusted DNS blacklist went bad and declared that every IP address in the world belongs to a spammer?
Alex El Homsi, the president and CEO of Woburn, Mass.-based Trilog Group Inc., which makes a development platform for Domino programmers, watched that scenario unfold when a list run by Monkeys.com added code that made everyone look like a spammer.
"That was the most obnoxious thing that anyone has done in e-mail history," said El Homsi, who wasn't sure how many of his company's e-mails were lost as a result of the shoddy blacklist. "These guys are just so stupid to just do this."
The man in charge of the blacklist in question, Ron Guilmette, proprietor of Infinite Monkeys & Co., which runs Monkeys.com, said he had a perfectly good reason for broadening the blacklist to include every IP address.
For starters, Guilmette said, the list was initially shut down in September 2003, and users were notified of the service's closing on community Web sites.
Nevertheless, he added, six months after the shutdown many mail administrators still hadn't gotten the message. The continued queries to his servers amounted to what was essentially a denial of service attack, which ate up all of his bandwidth.
Guilmette said that spammers had been launching denial of service attacks on his servers off and on for months. He said that authorities were no help in the matter and that no one else would volunteer to host the list. That is when he realized that it was time to take the list offline.
Guilmette decided to take a drastic approach. He changed the code on his server so that every incoming query would result in a positive match for spam.
El Homsi said his company was smart enough to stop using the list months earlier, but many of Trilog's business partners were still running it.
"Who knows if other organizations are building their blacklists by consolidating from other lists?" said El Homsi, who thinks there should be laws governing how these bodies operate.
Regardless of who is right and who is wrong in this debate, both parties agreed that the incident highlights the need for administrators to keep up with the DNS lists that they're referencing.
Michael D. Osterman, principal analyst with the Black Diamond, Wash.-based Osterman Research, said that blacklists are a huge problem for a couple of reasons.
For one, Osterman said, they aren't a very effective way to block spam because they are only successful 5% to 15% of the time. Also, he said, it's easy for legitimate organizations to get blacklisted by mistake, which El Homsi witnessed firsthand.
"Blacklists need to be updated constantly to make sure that they are accurate and don't contain any false positives," Osterman said.
Osterman said it is particularly easy to inadvertently get blacklisted these days, thanks to new viruses like MyDoom that copy people's IP information and send junk mail under stolen names.
The analyst said that a new method for fighting spam that is growing in popularity is called "graylisting." Under this method, rather than blocking all of the mail from a suspected spammer, routers are programmed to let it come in at a slower pace. This allows administrators to determine if anyone has been errantly condemned.
Meanwhile, El Homsi is cautioning others to be wary of blacklists.
"Keep an eye on [DNS blacklist] organizations and not only the ones you are referencing," he said. "You could be blacklisted at anytime for no valid reason."
FOR MORE INFORMATION: