About this Post
We recently found ourselves in a fight with SURBL.org to get a client’s domain off of one of their blacklists. This is a little bit of information about SURBLs and some resources to help others who have been wrongfully blacklisted.
What is a SURBL and How Does it Work?
A SURBL is a list of domains that appear in spam emails. When a user of some email client flags a message as spam, that message is sent off to a central service for analysis. The message’s originating server is noted and the contents are analyzed. If the same domain appears in enough spam emails, it is considered for addition to a SURBL blacklist.
Spam filters then reference the SURBL blacklists when deciding what to filter. If a domain that appears on a SURBL list appears in the body of an email, it might be flagged as spam or rejected entirely depending on the filter.
Personal Experience: Limited Recourse for Victims of a False Positive Listing
No algorithm is perfect and false positives can happen. What then?
Recently we had a client land on a SURBL blacklist. This client is an online business that runs the majority of its marketing through email. No notification was given to the client, their mass emails simply started bouncing, rejected as spam.
Needless to say, this was a huge problem.
SURBL has a web form available on their website at http://george.surbl.org/lookup.html through which you can request blacklist removal. Note about the form: There is a limit on the size of your entry in the ‘message body’ field, and though it is written on the form, if you submit with too much data in that field it will throw up a vague error:
Error in: sample message body entry! Please wait 20 seconds, go back
and correct it!
In our case, the listing was seriously damaging our client’s revenue and we decided to email email@example.com as well. The listing was in clear violation of SURBL’s own published policy for many reasons and I was sure the listing was an error and could be quickly corrected.
SURBL’s listing policy was available at surbl.org/policy.html until very recently. I am posting a copy that I downloaded a few days ago here. I will also link to a version in web.archive.org as a loose corroboration. Link.
Though the response I received from the email address provided by surbl.org was timely, it was anonymous and its content revealed that either surbl.org had no regard for its published listing policy or they were not reading my emails. All the while our client was losing business.
This is a list of the most relevant quotes from their listing policy document that could help you if you’ve been wrongfully blacklisted (emphasis theirs):
- “Add domains that appear only in spam. Do not add any domains that appear in ham.”
- “Visit the site or at least check the google summary of it. If the site looks like a mostly legitimate site do not add it.“
- “Don’t add domains or IPs that are mentioned in legitimate newsletters, mailing lists or other similar mailings.”
- “Do not add domains of otherwise legitimate sites that have open (unconfirmed) subscriptions.”
- “Don’t list any mostly legitimate domains or IP addresses. The goal is not to “catch every spam.” The goal is to catch only domains that only appear in spams.”
After a long email thread of me repeating these points of their policy back at them, the client’s domain was removed from the blacklist and the policy document at surbl.org/policy.html was removed. These two events happened within 24 hours of each other. Maybe this was a coincidence, maybe not.
This is the entirety of surbl.org’s final response in our email thread, after the domain in question was removed from the blacklist. At no point did they acknowledge my references to their published policy, and in their final response they cede nothing.
“The domain has been automatically removed from the blacklist since the
unsolicited messages appear to have stopped. Please note that it can
be listed again in future if it appears in unsolicited messages.
Therefore it is urged that best practices be followed by all senders.”
We clearly cannot enforce the email practices of everyone on the internet. Which means the threat of blacklist lingers should any random spammer include our client’s domain in their email. This is unacceptable.
I am disturbed by SURBL for several reasons:
- Surbl.org is incredibly powerful. They themselves will deny having any power, since they just make blacklists publicly available, these blacklists are used by spam filters all across the internet. Being listed by surbl.org can seriously damage a business that relies on email.
- Surbl.org’s automatic tools for blacklist removal provide very little feedback. We received a confirmation that our web form was submitted, but nothing after that.
- Surbl.org’s blacklist removal request email address is anonymous. The replies I got from it were unhelpful. I don’t know if I was talking to one person or multiple. I was provided with no recourse beyond the email stonewalls.
The bottom line is SURBL.org has a lot of power and very little accountability. It is unlikely to become any more accountable as it is not legally responsible for the emails it blocks, it is simply a maintainer of the lists. It is powerful only because mail administrators across the internet use it to filter their emails.
A Plea to Mail Administrators Everywhere
Mail administrators should not reject messages outright because they are listed on a SURBL. Flag it as spam and deliver it, but don’t block it entirely. SURBL.org is not a transparent and accountable enough organization be given the de facto power to crush businesses.
99+% of the time, SURBLs are right to list a site, but the false positives do real damage to legitimate businesses. Now that they’re removed their published listing policy, victims of false positives are even more in the dark.
A Plea to SURBL.org
With great power comes great responsibility. You didn’t ask for it (in fact you recommend against it on your front page), but many mail servers block based on your lists. You have a lot of power, and the writer of your original listing policy (now removed from your site) seemed to realize that.
At the very least, inform domain owners when their sites are blacklisted and give them reasons. Supplying the domain owner with a copy of an unsolicited message that triggered the blacklisting would be incredibly helpful (when legal). Publish a listing policy and follow it. When answering emails, use your name or a consistent alias if you’re not comfortable with that, just don’t be completely anonymous. I couldn’t even tell if it was the same person responding every time.
Surbl.org is a black box full of black lists. A few simple changes would make a world of difference to the owners of domains falsely listed.