[Asrg] Round 2 of the DNSBL BCP - "collateral damage"

Steve Atkins steve at blighty.com
Wed Apr 2 09:06:58 PDT 2008 

On Apr 2, 2008, at 6:49 AM, Seth wrote:
> Steve Atkins <steve at blighty.com> wrote:
>
>> Your intent in listing an IP address in your blacklist is that mail
>> from that IP address be more likely to be blocked or filtered.
>
> There are whitelist DNSBLs.

No, there aren't.

If it's a whitelist, it's not a blacklist. As for operational use of a
whitelist as a blacklist, see my mention of Habeas below.

> There can certainly be DNSBLs designed to make some mail more likely
> to be accepted, and other mail less likely.  There are certainly
> DNSBLs with information that some sites use to accept more, and
> others use to reject more (e.g. country-code).
>
> There are DNSBLs that exist to prove a point, and the intent of the
> lister is not to have any sort of usage (nofalsenegatives,
> nofalsepositives, noprimes).

And yet, those lists still get significant usage. Up to and including
blocking mail if an IP address is listed on them. That the operator[1]
of those lists is listing an IP address due to some inner aesthetic
rather than any relationship to mail emitted from those IP addresses[2]
does not affect the fact that it is the combination of the listing in  
the
blacklist and that there is at least one mailbox provider using the
blacklist to filter mail that will cause the mail to be blocked.

There are going to be edge cases, certainly. Perhaps there's a DNSBL
that the operator doesn't intend to be used to affect mail delivery, and
isn't aware that is being used to affect mail delivery (such as opm in  
it's
first few days, perhaps)? That operator is not aware that they're  
running
a DNSBL, so they're out of scope for this document (if they're not aware
that they're running a DNSBL then they're not going to be affected by
a BCP for DNSBLs). Perhaps there's something that looks like a DNSBL
on a technical level, but it's not intended to be used as one, has  
millions
of users for it's real purpose and that a couple of people misuse it  
as a
DNSBL isn't going to change the behaviour of the operator (in-addr.arpa
and the Habeas whitelist would be two examples there). Again, though,
if the operator does not believe they're running a DNSBL, they're out of
scope for a DNSBL BCP.

We're talking about common practice, as well as best practice, remember.

Cheers,
   Steve

[1] That I'm the operator for two of the lists you mention means I've
thought about this.

[2] The same is true of some non-abstract lists too.

More information about the Asrg mailing list