Spam blacklisting question

Every now and then one of our users has some of their emails rejected by the blacklisting service Spamhaus - “Rejected: listed at” or words to that effect (I changed the IP address).

I understand that this means that spam has been sent from that IP address to a Spamhaus subscriber, but what about ISPs who give out addresses dynamically? What’s to stop somebody with a malware-riddled PC getting their IP address blacklisted, only for some other blameless person to be given the same IP address the next day and find themselves wrongly blacklisted?

That person does one of two things:
[li]Complains to their ISP loud enough to get their ISP to drop spammy customers and get off the blacklist.[/li][li]Drops the ISP and finds one not on a blacklist, something that makes the ISP either drop the spammers or become a dedicated spamhaus. Guess which course of action gets it off the blacklist.[/li][/ul]This is an intended result of the whole blacklist process. Entire ranges of IP addresses (subnets, to use the technical term) are blacklisted simply because the ISP that controlls those addresses is a known spamhaus and is spewing tons of crap day in and day out.

No sysadmin is required to carry anyone else’s crap.

If this seems unfair, read the above sentence until it makes sense.

The relevant section of the FAQ.

OK. I guess I meant to ask whether such a scenario is possible, and you’re saying that it is.

Indubitably. The SPEWS FAQ is much more explicit on this matter:

Dynamic IP addresses are very often listed for exactly the reason you state, that spam has come from that address in the past, and because of this sending mail directly from a dynamic address is now actively discouraged. In fact, there are many blacklists that attempt to list all dynamic addresses on the assumption that it is much more likely that any email directly from them is spam. This has become even more common now that spammers are hijacking end-users’ computers to be their mail relay.

The standard has become that all email should be relayed through the ISP’s mail servers rather than local ones, or that if you must run a local outbound mail server you should get a static IP/subnet. Most ISPs now block outgoing mail from their dynamic IPs to any other mail servers than their own, so you might not even have the option of running a local outbound mail server on a dynamic IP address.

In general I’m a fan of the real-time blacklists (RBLs), but many mail administrators, even those that should know better, take too draconian an approach and deny all mail based on many different blacklists which all have different ideas of who should be listed. For small ISPs this can cause a lot of headaches when one problem user sends out some junk and gets the whole ISP blocked. Sure, its effective at getting that problem user promptly removed from the ISP, but at the cost of lost customers to the ISP who couldn’t send email while all the different lists take their time removing the blacklist entry. Most small ISPs who fall into this category would have removed the problem user anyway. Only blacklists with quick and painless ways of getting removed from the list should be used to deny email. All other blacklists should be used as only one of many criteria to filter spam from legitimate email.