One of the more popular questions that come up deals with the use of DNSBLs,1 especially Spamhaus’ lists, by ISPs.2 The question usually goes something like this:
Who are the operators of that list and what gives them the right to regulate commerce? Are they run by a government or something?
A Brief History of DNSBLs
The year is 1997. Spam wasn’t as bad as it would ever get, but it was on the increase, and people were beginning to take notice. I got my own start in email around this time, after I got home one day in mid-1997 to discover 3 emails from people I knew out of 70-something that had arrived that day. Today, I laugh at those stats. I get a LOT more spam than that. But that’s what it took to push me over the edge.
Someone else who had decided that “enough was enough” was Paul Vixie. Paul was/is somewhat of a famous person in Internet circles. He was the writer of a version of Vixie cron and, more importantly, a maintainer of BIND, one of the principal pieces of software used to translate domain names into IP addresses.
Paul’s plan to deal with spam sources was to block all internet traffic to them. So, he created a list which would (when appropriately used) route all traffic into a “blackhole.” Thus was born the RBL.3 People subscribed to the RBL because they trusted Paul and his judgment. A very short time later, the list was moved from a shared list to a queryable format using the Domain Name System (for which BIND was the primary software).
Over time, other DNSBLs emerged. Some have lasted a long time but have little use. Others have come into relatively widespread use but lasted only a few months or years. Finally, some — like Spamhaus — have been in widespread use for a very long time.
What sets them apart?
In a word, “trust.” In 2016 there were 215.3 billion messages exchanged on the internet every day, according to The Radicati Group, with that number expected to rise to 225 billion in 2017.4 The largest providers, of course, bear the brunt of those statistics.
Their users, though, expect to get messages from Mom, Grandma, Aunt Helen, and Uncle Jim, and from at least a few marketers about sales they care about. If they don’t get those messages, they’ll either complain or they’ll simply change providers. When you’re in the business of providing eyeballs to advertisers, neither of those is good.
But, that’s a double-edged sword when it comes to getting data from third parties. You want someone who is aggressive enough to help you get rid of the really bad stuff, yet conservative enough not to toss out grandma’s forwarded messages about the great things her favorite politician is doing. In a word, you want someone you can trust — trust to get it right, and quickly and quietly fix things when they get it wrong.
What gives them the right?
No one does. Everyone does.
The fact is, they are trusted by their users to provide a service. That service comes in the format of data which the user can use or ignore. If the maintainer of the list gets it wrong too often, is too difficult to deal with, or charges too much for their service, then they’ll be ignored and vanish into the dustbin of history. If they get it right, then they’ll grow and prosper.
They act much like organizations like Vericheck do in helping retailers decide which customers to accept checks from. The retailer can pay for that information and use it to decide whom it wants to do business with. The ISP can use DNSBL information to decide who to accept mail from.
Neither is a government agency, but both can set terms that prevent a transaction from happening.
What about standards?
Competent DNSBLs will publish their standards. Those standards will make sense. But, not all standards will be the same. Spamhaus tends to rely very heavily upon spamtraps. Spamcop tends to place a lot of weight on user complaints. The standards differ, but their objective — to protect users’ inboxes — is the same. Because their objective is not to enforce the law, people need to understand that statutes and regulations will play very little role in what DNSBLs do.
Footnotes
- DNS-based Blocking Lists. ↩︎
- Internet Service Providers. ↩︎
- Realtime Blackhole List. ↩︎
- The Radicati Group, Inc., Email Statistics Report, 2016–2020 (Mar. 2, 2016), http://www.radicati.com/wp/wp-content/uploads/2016/03/Email-Statistics-Report-2016-2020-Executive-Summary.pdf. ↩︎
About the Author
Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
