What happens if we blacklist a legitimate IP?

  • Article

With the rise in botnets in the past year, some spam filters like to make use of blacklists in an attempt to cut down on the amount of mail they have to filter.  This makes sense because an increase in mail can eventually cause delays so we'd like to use a few tricks to cut back on the amount of volume.

The question arises that if most spam is coming from botnets, what happens if we block an IP and that IP sends legitimate mail some of the time?

It is a good question.  The way I see is not necessarily the way that my company sees it, I only speak for myself.  So, if a person has a computer that is virus-infected and starts sending high volumes of spam and only small volumes of legitimate mail, should we still block them?  In my opinion, yes, we should.  We will not compromise the integrity of the rest of our users because one user has a compromised system.  I believe that it is reasonable to refuse mail from an IP that is virus infected because they have the potential to either infect other users with viruses (which will make the problem orders of magnitude worse) or just annoy other users with spam.

Still speaking for myself, a compromised system can get off our blacklist if they run a security check and clean off any malware that is sending the spam.  Only then would we delist an IP.  Until then, if you're on our list you will stay there until we are sure you have cleaned up your act.

Besides which, most of our spam comes from IPs sending us very high percentages of spam (>90% mail marked as spam).  Most of our legitimate mail comes from users that are very clean.  There is only a small grey area in between.  I think we ought to be willing to sacrifice some legitimate mail for the sake of security.  In a round-about way, we're doing the compromised computer a favour - we're letting them know they have a problem.

Update: This doesn't answer my question of what happens if we blacklist a legitimate IP.  I have spoken for myself but not for Microsoft.  I think I'm going to leave it that way, we may or may not even use blacklists and I don't have the authority to say one way or the other.