And again, its GMail users in the shackles. SpamCop recently added several Gmail servers to its blacklist. The reason: some spam came from those servers, and Google doesn’t pass the originating IP address of the email user. They prefer instead to push their own IP in place of the standard “X-Originating-IP” header line delivered from competing webmail providers, so SpamCop added the whole server(s).

I am not sure what Google’s beef over privacy is here, but it makes little sense to me.

First, it is extremely difficult to learn much about a sender from their IP address, other than the general locale that particular email was generated from. But why would a legitimate user care about that? The good guys aren’t going out of their way to remain anonymous (at least not yet). It’s the bad guys altering their headers, bouncing emails off open proxies, and using privacy tools to mask their real locations that you have to worry about, and an IP address in plain site is not going to bother them too much. In fact, it is a boon for them - one less thing to worry about.

On the alternative side, Brian McWilliams noted that the Gmail servers in question are not on other big blacklists, which makes you wonder how SpamCop is making decisions on their own account.

Like the AOL/MAPS problem some time ago, Gmail will likely get this straighted out. But the question remains - does the fault lie with an overzealous blacklist or an email service with some funky privacy policy?

I can’t really add much to Techdirt’s opinion on what is and isn’t spam - it is in fact a matter of perception.

But the underlying problem regarding blacklists does deserve some elaboration. When a blacklist adds a record because of just a few complaints, legitimate mailers to legitimate opt-in customers do get hurt. Unfortunately, the everyday Joe has neither the time, inclination, nor skills to manage a personal blacklist (whether it is implemented directly or by their email service provider). The issue deserves additional attention, I’m just not sure who is the right one for the job.

As part of its anti-phishing romp (deemed suitable only for US customers, of course), Microsoft is going to be blacklisting websites deemed shady. Which brings up an interesting question - how is such a nice gesture going to be implemented?

If Microsoft stores all these sites themselves, then you have to call on Microsoft every time you surf. Which means Microsoft gets a nice little picture of all your browsing habits, whether you go to check your VISA bill or arbitrarily hit “www.IAMGOINGTOSTEALALLYOURMONEY.com.” If the boys in Redmond pass the blacklist on to you, refreshing every time a new scam site pops up on the list (which is about once every tenth of a millisecond), then you are going to need a bigger hard drive.

According to spammers, the folks who run RBLs (Real Time Blackhole Lists) are terrorists lurking in the shadows, pouncing on unsuspecting small internet merchants, and blocking the IP addresses of entire continents at the drop of a hat. That just isn’t true, but it also doesn’t mean that RBLs won’t ever need some checks and balances either.

After reading this post from Slashdot, and scouring the comments, I came to a conclusion. RBLs may need some help now and again, and maybe they are a little too aggressive at times, but “democracy” generally prevails. In addition, a number of commentors at both Slashdot and NANAE noted that the poster was likely a spammer complaining about getting squashed by MAPS. That is something that shouldn’t be ruled out.

According to the majority, RBLs are better than the alternative, which is unbridled spam. The innocent will just have to deal with it until a better solution presents itself.

The incident mentioned over at Slashdot does bring up some questions, at least for me. Services such as MAPS/Kelkea are for-profit enterprises. They have a vested interest in keeping spam from hitting their subscribers’ databases. So, the bigger the database of IP adddresses, the better. With more than 1.5 billion addresses in their collection, Kelkea could be prone to error. And the more addresses they gather, the bigger the errors are going to become. Is it Kelkea’s responsibility to serve clean information to their customers, or is it an ISP’s responsibility to notify customers that the IP address they were just given could have been used by a spammer years back (and therefore could be subject to some blocking)?

Without some check of those records, and the records other blacklists and greylists, we may never know. In the meantime, small merchants and webmasters should make sure their IPs are whitelisted with the major ISPs, just in case.

There are certainly some major advantages to having a personal whitelist working for you. After it has been properly configured, you can be fairly certain the volume of spam is going to drop. But getting it configured can be an ongoing job, particularly in the spoof-a-thon world we live in now.

The big advantage of a whitelist, challenge-response combination is you don’t get any spam from someone not on that list. Any sender not on the list drops directly into a junk-mail folder. If the system sits server-side, the spam gets junked before it hits the desktop. But with spammers spoofing Return-Path and From line information, what you are going to get are a lot of whitelist inclusion requests.

I am not putting down the Choicemail system described in the article below. Whitelist-only challenge-response systems are certainly tough to get around - nearly impossible. But I think it is wishful thinking to expect a challenge only once every couple of weeks, as the VP of Sales at Choicemail, Dan Wallace, suggests. An implementation at the server level, managed across the network, would reduce the spam level even further, but the challenges from disparate sources are again going to take some resources to manage.

Whitelisting functions (even at the personal level) are nothing new either. I can set my Entourage junk-mail settings to “exclusive,” meaning any inbound email not in my address book goes direct to junk. The ‘exclusive” option turns my address book into a whitelist. Nonetheless, the real spam I do receive never comes from the same address - in all cases, the sender address is spoofed, and most of it comes from zombied machines, so I continue to rely on the Bayesian filter to get rid of the spam at the “high” setting. Note that the same setup is available to Outlook users under the Tools, Options, Junk E-mail settings. The Outlook options also include Top-Level domain management, as well as rejection of email with chosen encoding.

Read more here, in Techology New’s review: Permission-Based Filtering Puts Kibosh on Spam.