By Hiawatha Bray, Globe Staff, 5/28/2003
Philip Jacob, who runs a small Internet service provider called Whirlycott.net in Watertown, has found himself prey to one of the toughest tactics in the war against e-mail spam: ''blocklisting,'' or as Jacob calls it, blacklisting.
A growing number of companies and organizations are using the practice to fend off incoming messages from Internet addresses suspected of sending unwanted e-mail. But some legitimate businesses have been caught in the blockade.
Last week, Jacob, 28, fielded a complaint from a customer at a Boston financial services firm that buys e-mail services from Whirlycott. The customer's e-mails to another company were being returned as undeliverable. The return message indicated the mail had been rejected because it came from a source that was included on a ''blocklist'' -- a list of e-mail addresses of suspected spammers.
It was a familiar problem. The same customer complained in August, when messages he'd sent to Colby College in Waterville, Maine, were also bounced back. When Jacob investigated, he found that Colby used a blocklist that cited Whirlycott as a spam source, even though Jacob insists his company has never allowed users to send unsolicited bulk e-mail.
Ray Phillips, director of information technology services at Colby, confirmed that the school formerly used blocklists. ''We did find that this strategy blocked e-mail from some major Internet service providers' e-mail systems,'' Phillips said. As a result of complaints by Jacob and others, the school has stopped relying on blocklists, instead using software that examines each message to determine whether it's spam.
But many other organizations and Internet providers continue to use blocklists. For legitimate businessmen like Jacob who find themselves inadvertently blocked, the result can be a version of what the military calls collateral damage -- the unintentional destruction of the innocent during an attempt to destroy the enemy.
''I actually used to use blacklists,'' said Jacob, whose day job is system architect for the e-commerce website Eyeglasses.com. ''Then one day I found that I was on a blacklist.''
Despite his protests to Colby, and the college's decision to drop its blocklist, Jacob's Internet service continues to be listed on at least two blocklists. That's why mail sent by some of his customers is still getting blocked. To compound the problem, there's no way to know which businesses or Internet services use blocklists, or which lists they use.
There's evidence that aggressive efforts to screen out spam are starting to hinder the delivery of legitimate e-mail messages. A recent survey by the e-mail marketing firm Bigfoot Interactive found that nearly 40 percent of those surveyed had failed to receive messages from friends, family members, or companies with which they did business. Another e-mail marketing firm, Assurance Systems, set up e-mail accounts last year, then arranged to have mail sent to them. About 15 percent of the messages never arrived.
Most blocklists are set up and maintained by volunteers -- Internet users fed up with the flood of unwanted and often offensive e-mail messages. One Internet guide to blocklists, www.openrbl.org, lists more than two dozen of them. In addition, many Internet providers and businesses create custom blocklists.
Blocklists are a powerful alternative to more costly and unreliable ''content filtering'' software, which scans each incoming message and tries to determine whether it's spam. (Jacob's Whirlycott markets antispam filters, among other services.) With blocklists, if a message comes from a given address, it doesn't get through. That's why many Internet services and Internet-connected businesses use them.
Each blocklist has its own standards, which can vary dramatically. That worries some of the nation's largest Internet providers. Earthlink, for instance, draws up its own blocklist because of concerns about the accuracy of those created by others. America Online does the same, relying on spam complaints submitted by its 35 million users. ''We believe that a lot of other lists that are available are more subjective than objective,'' said AOL spokesman Nicholas Graham.
Some of the independent blocklists try to avoid this pitfall by applying rigorous standards. Spamhaus.org, one of the best-known lists, relies on its own ''spam traps,'' e-mail addresses that sit idle on the Internet. Any mail sent to these addresses is spam by definition, said Spamhaus founder Steve Linford, so the sources of these messages are blocked. ''We don't collect complaints from end users at all,'' said Linford, for fear these reports might be biased. In addition, the list is under constant review.
But other blocklists take a more subjective, radical approach. That's what happened to Jacob. His Internet company purchased bandwidth from another firm called AV8.com, which operates an e-mail server that lets people send messages without logging in. This kind of ''open relay'' server is often used to send spam, though AV8.com operator Dean Anderson says he doesn't allow this. Several blocklists decided to block all AV8 addresses because the open relay might encourage spamming. So Colby College, or any other institution that used one of these blocklists, would reject all mail from AV8, or Whirlycott.
This kind of blocking, which penalizes the innocent as well as the guilty, is not uncommon. Late last year, some consumers writing to the Federal Trade Commission found that their e-mails couldn't get through, because the federal agency uses blocklists. Also last year, the Spam Prevention Early Warning System, or SPEWS, blocked all mail from the 220,000 customers of Interland Inc., a major website company, because some Interland users were sending out spam. Only when Interland moved to drive spammers from its system did SPEWS relent.
Unlike Spamhaus' Linford and other blocklist operators, the people who run SPEWS refuse to disclose their names, phone numbers, or e-mail addresses. A message on the SPEWS website says that all inquiries should be posted on a public Internet bulletin board, but no one from SPEWS responded to a posting by the Globe. The lack of an easy way to contact SPEWS suggests that anyone who thinks an address is unfairly blocked will find it difficult to appeal.
Linford thinks SPEWS chose anonymity to avoid lawsuits, even though he believes that such suits have little chance of success. Spamhaus has been sued many times, by companies claiming that blocklists violate their right to use the Internet freely. Last month it was sued again in Florida, along with SPEWS and several other blocklists. The plaintiffs, an organization of e-mail marketing firms called eMarketingAmerica, say that blocklisting unlawfully deprives them of their right to use their e-mail addresses.
But Linford replies that blocklist operators are exercising their own right of free speech by making lists of alleged spammers. So far, the courts have agreed. ''We've never lost a suit,'' Linford said.