2 Ways to avoid – Spamhaus Blacklisting

By Sue Wieberg

Have you ever heard that saying, “It’s better to beg for forgiveness than to ask for permission”? When it comes to your IP being blacklisted this is most certainly not the case. Once blacklisted an IP address will have serious deliverability issues, not just of campaign emails but ALL emails.  So not only will your email campaign fail, anyone using the blacklisted IP will be affected.  This will have a catastrophic impact on productivity and reputation.  Why should you worry? It is easier to get blacklisted than you think.

Bots were – and are – being used to sign up innocent email addresses through open or poorly secured web sign-up forms in high volumes. Some subscriptions were added at ESP interfaces, many more were introduced at diverse list-owner locations around the web. These signups were made possible by the fact that many web forms use Single Opt-In (SOI) and accept all subscriptions without any verification.”*

Everyone that is creating any sort of web-based signup where an email is being sent, has a responsibility to stop this kind of attack especially as Spamhaus believe these recent attacks were a test for a Mail-bombing as a Service (MaaS) tool that will be offered for sale in the underground economy.

You can check to see if your IP Address or domain is listed with Spamhaus.

How can you avoid being blacklisted by Spamhaus and protect you IP? 

Well, there are two primary ways to avoid being blacklisted. The first and best is to use CAPTCHA to prevent bot signups. Google’s reCAPTCHA is commonly used. You can find more information about this here.

The second method is to utilize a confirmed opt-in process or double opt-in. A confirmed opt-in process will send a confirmation email to new email addresses that are to be added to your database.

Why only one confirmation?

In a recent mailing list subscription attack, sending multiple confirmation emails was actually the cause of some companies being blacklisted.  SO it is an important consideration in a confirmed opt-in process is to send only ONE confirmation email.

For confirming opt-ins, you can add a processing step to your forms. This processing step will add the record to a campaign canvas. The campaign canvas will evaluate if the record has confirmed their opt-in. You can confirm their opt-in by evaluating a contact or custom data object (CDO) field. If the record has not confirmed, an email will be sent to the individual asking them to confirm their opt-in. The email can contain a button that includes a blind form submit. The form would then have a processing step that updates either a contact field or CDO field.

If the individual does not click through you, have a few options on how to suppress those contacts in future campaigns. Here are a couple:

  1. Add the contact to a shared list and add the shared list to the Master Exclude.
  2. Add the contact to a program that globally unsubscribes the record.

Having a confirmed opt-in process also means not automatically using email addresses that come in through form submissions for future email campaigns unless they have opted in and been confirmed.

As a best practice, in order to avoid being blacklisted use both CAPTCHA and a confirmed opt-in process.

Here is an example of how that campaign canvas may look:


*Source: Spamhaus

Sue Wieberg

About the author:

Sue Wieberg

Delivery Director