How To (or How Not To) Operate a Blacklist

by J.D. Falk
Director of Product Strategy

On the Word to the Wise blog, Steve Atkins has been publishing a series of articles describing — in impressive detail — everything he feels is wrong with the SORBS blacklist, both before and after it was purchased by spam filter vendor GFI. Return Path staff have seen many of the same issues when trying to help our clients deal with SORBS listings, so we can certainly sympathize with the many frustrated comments.

Turn Steve’s articles on their head, however, and you’ve got a set of Best Practices for how to run a blacklist — or any other popular anti-spam service. These can also help mail system operators evaluate which blacklists they’d like to use. For example:

1. Respond to inquiries quickly and professionally, especially during or after a known issue.

2. Listing policies must be clear and consistent.

3. Any lookup or removal tools should be accurate, easy to use, and actually work.

4. Lists of dynamic IP addresses should be developed in collaboration with the ISPs or other entities who own and assign those IPs.

5. Cross-check against internal and external sources in order to catch bad data before it’s published to the world. For example, if your system is about to push out an update which includes IPs on our Certified list, put it on pause until you can perform a manual review to make sure.

6. Wide listings (such as a /16) should be rechecked regularly to ensure that they’re still appropriate.

7. Systems should be compartmentalized such that a denial-of-service attack against public, visible servers does not prevent staff from operating the service.

8. When you do suffer an attack, be transparent! Your supporters will understand, and many will offer to help.

9. Understand that when someone contacts you for removal, or with questions, chances are pretty good that they’re having a really bad day. Often it’s the first time they’ve even become aware of the concept of an IP blacklist. They’ll be panicky, perhaps irrational. Have some compassion even while you’re being firm, and they’ll eventually settle down and react in kind. They may even support your work in the future.

10. In a similar vein, the ISPs and other mail operators who use your list are your customer. That’s who you’re responsible to. Piss them off, and nobody will use your list — which means you’ve got no influence over the email ecosystem, which means you won’t stop any spammers.

11. And finally, work with the larger anti-spam community, not against it. That’s where you’ll get your best intelligence, and your most effective supporters.

The Anti-Spam Research Group has a draft standard detailing additional best practices for blacklist operators, including how to shut it down smoothly.

As for GFI, we can certainly understand that it takes a while to merge an existing product into a new parent company. It took us a few years to fully absorb the old Bonded Sender Program, but we learned from those experiences and were able to add the Habeas Safelist in a matter of months; now they’re both living happily side-by-side as Return Path Certified. I’m sure GFI can do the same with SORBS, given sufficient desire and resources.

In the meantime, there are other blacklists (including Return Path’s Reputation Network Blacklist) which have already been following the best practices listed above, and thus are probably much safer to use.

Remember: for mail operators it’s not the size of the list that matters, it’s whether it helps them block the spam they don’t want and still receive the mail they do want. These practices can help to ensure that that’s what your list does.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time