Once a popular and effective way of fighting spam, DNS blacklists are no longer effective or reliable tools in the war against spam. The reasons are many, but a few key problems:

• Spammers are, if nothing else, a resourceful bunch. Whatever barrier you erect to prevent their spam from reaching your mailbox they always seem to find a way to circumvent. And DNS blacklists are no different. Once spammers figured out they could no longer keep spamming from the same IP’s, they went to look for a way to send from constantly varying IP’s. They’ve achieved that goal by using self-propagating viruses, trojan horses, and worms to take control of millions of unsuspecting PC’s. They use such “zombied” PC’s to send out their spam now as well. And when one of the millions is blacklisted, they simply move on to the next. They have a neverending pool of IP’s to send from, and as a result they’re always one step ahead of the DNS blacklists. What that means is that for the most part, IP’s listed on the blacklists are old news — it’s unlikely there is much spam still originating from that vast majority of the IP’s.

• Most of the DNS blacklists operating today are nonprofit ventures staffed by a loose confederation of volunteers. They do not charge for their services, and thus are accountable to no one. That lack of accountability means there are no standards for quality of service. No standards or guarantees of accuracy or timeliness. That may be fine for hobbyists, but for anyone who conducts business via email and thus can’t afford to lose emails to false-positives that fact alone should make your hair stand on end. Also keep in mind what this means for you as a user of these blacklists. The blacklist administrators do not have your best interests at heart. Many of these are people so filled with rage over spam that they are willing to spend significant portions of their time fighting it. Their goal is to stamp out spam wherever it is found, and do not concern themselves who gets trampled in the process. They are essentially email vigilantes who owe allegiance to no one but themselves.

• Not all DNS blacklists even publish their listing and delisting policies. (Would you trust your spam filtering to a service that won’t even tell you how they make their decisions??) Those that do often seem to treat their policies more as general guidelines. Too often I’ve seen overzealous list administrators break their own policies again and again to pursue a personal vendetta. Lack of professionalism such as this alone this should make such lists unpalatable to the average business mail administrator.

• As I mentioned, most blacklists are run by volunteers who spend hours a day without compensation doing their part in the war against spam. Their intentions are always for the best, but the results are often anything but. Putting so much of yourself into what is ultimately a losing battle would take its toll on anyone. Unfortunately for anyone using these lists, this often manifests itself by list administrators taking out their frustrations by misusing their lists. This is usually in the form of “collateral damage” where list administrators start blocking large swaths of IP’s in an attempt to get an Internet provider to take notice. Some lists even have a stated policy of doing so. I see two problems with using collateral damage as part of a spam filtering solution. First, most of the blacklists that use collateral damage as a weapon state that they slowly increase the size of the block in the face of continued unresponsiveness from the ISP in question. That policy sounds ok at first, until you consider that many of the lists with such policies also have a policy of not contacting the ISP’s in question to notify them of the listing. As a result, the blocks can get quite large before the ISP takes notice, through no fault of their own. The unresponsiveness is a self-fulfilling prophecy. Second, the lists are then listing thousands upon thousands of IP’s which they know are not spammers. Which means if you are using that list, there are thousands of potential customers who cannot reach you.

It’s a frustrating problem. No one wants to have their inbox filled with spam, but at the same time you can’t afford to miss a potentially important email because of rampant vigilantism. Are there fair, responsibly run DNS blacklists? There are few, but I won’t mention them here, because they are always subject to change. What is a professionally run blacklist today could go off the deep-end tomorrow. And besides, they’re only marginally effective anyway.

So how *do* you stop spam? Use content filtering, rather than DNS blacklists. It’s more effective and reliable and isn’t subject to the whims of antispam zealots. And you’re in control. Or, for those who don’t have the time or technical chops to roll their own filtering, subscribe to an outsourced spam filtering service such as Postini. Yes it costs money but that money buys you accountability. You’re paying for having someone to complain to if the service isn’t meeting your expectations. That helps guarantee your filtering service won’t start pulling any of the shenanigans mentioned above. And if they do, you can cancel and subscribe to a different service.

DNSbl administrators’ response to any complaints or suggestions about their policies is invariably something along the lines of, “If you don’t like what we’re doing or how we’re doing it, don’t use it.” I recommend you take their advice.