Should You Use More than One Blacklist to Prevent Spam?Written by Paul Cunningham on July 21, 2010
Blacklists (or block lists) are a spam prevention technique that uses lists of IP addresses or domain names that are associated with spamming to determine whether to block or allow a particular email transmission.
Although the technique falls under one general description, there are many different implementations of block lists that can be used to make different determinations about whether an email is spam or not.
Some of the different techniques include:
- URI lists – these are lists of domain names and IP addresses that have been used as hyperlinks in emails that lead a victim to a malicious website, for example a bank phishing scam
- Open Relay lists – these are lists of mail server IP addresses that have been discovered as open relays and can be (or have been) used by spammers to send emails
- IP lists – aside from open relays an IP address that has directly been a source of spam, or is highly likely to be a source of spam (eg an ISP’s customer IP blocks)
The mechanism for each is basically the same – the mail server inspects the SMTP connection, or email message, that it is receiving. It then queries one of these block list providers with the URIs or IP addresses, and if it registers a hit it then takes the configured action (usually to drop the email).
With so many different block list providers and different techniques the obvious question is whether more than one provider should be configured on the email server that is responsible for blocking spam in your organization. Naturally this depends on the specific organization and which services are being used.
The biggest benefit to using more than one block list provider is that there are more chances to detect spam thanks to a greater diversity of lists being queried. If you’ve ever had to troubleshoot a deliverability issue by investigating whether a mail server IP is on a block list you would have discovered that of the dozens of lists available not all of them will give the same result for a given query.
Using multiple block list providers also protects you from the scenario in which the provider is unavailable, which could lead to spam entering your organization when it can’t be checked.
However the biggest drawback is that every additional list provider that you configure means additional resources are consume for every email that is checked, both in terms of server processing and network bandwidth.
This trade-off between effectiveness and performance is one that should be seriously considered, as well as monitored on an ongoing basis.
An alternative solution is to use a provided that aggregates multiple techniques into a single service. This is common for most commercial anti-spam solutions, which will be pre-configured with a vendor-supplies block list service that offers the best trade-off between performance, effectiveness, and also reliability.