The Lumber Cartel, local 42 (Canadian branch)
 |   |   |   |   |   |   | 

Glossary - False positive Bagel topped with poppy seeds

A "false positive" is a result that is erroneously positive under circumstances where such results are normally unexpected.  For example, if a person eats poppy seeds (commonly added to some types of bagels), a drug abuse test could lead to a "false positive" result for cocaine use, despite the non-narcotic nature of this food additive.

Blocking sources of spam by IP address

In the context of using a blacklist to block inbound messages from IP addresses known to be sources of spam, there are no "false positives" where a listing error (e.g., technical, human, etc.) did not occur; administrators expect that all eMail communications from listed IP addresses will be blocked, regardless of message content.

The purposes of using anti-spam blacklists on mail servers include, but are not limited to, the following reasons:

  • the blacklisting criteria is acceptable
  • to block communications from known sources of spam (which stops spam)
  • to reduce bandwidth and operational costs
  • to indicate to internet providers that spam is unacceptable
  • to encourage internet providers to avoid doing business with spammers
  • because it's the right thing to do

The point of blocking an IP address is that those responsible for it will know that their system is emitting spam, either by way of system error reports or end-user complaints; with this knowledge, the operators can take appropriate steps to stop the spam (e.g., by fixing security problems, terminating spammer accounts, etc.).  Due to the common practice of ISPs to use a small number of IPs for outbound mail for many different clients, the more popular blacklists are actually more effective at applying pressure to ISPs who don't take the spam problem seriously.

For a blacklist that works on a basis of IP addresses (as the vast majority do), it's not possible to differentiate between what is or isn't spam, nor should it be the job of such a blacklist since this could potentially require eMail content inspection or other related techniques (e.g., blacklists that catalogue internet domain names instead of IPs {which are also very effective}).

Social impact

One essential point is that when the IP address of a system is blocked due to blacklist inclusion that it is the IP address that is listed, and not an individual user.  The operators who choose to use a given blacklist obviously agree with its criteria, removal options (if any), points of contact (if any), and democratic procedures (if any), or else they wouldn't use it.  To call it a "false positive" when legitimate eMail is blocked is actually confusing the issue.

Unfortunately, claims of "false positives" by spammers or ill-informed third-parties often arise.  The spammers are being manipulative.  The ill-informed third-parties, who are sometimes being manipulated, are usually end-users who have been provided with incorrect information about the criteria of the blacklist, the responsible parties, etc.

An ill-informed user who just wants to send eMail will sometimes complain to the blacklist user that "my ISP said you need to stop using that list because it has too many false positives," but after directing them to links that show the spam evidence (e.g., a Google search of NANAS for the offending IP) and explaining that IPs that are sources of such unethical/disgusting content (usually it's not too difficult to find spam samples that include filthy concepts describing actions involving certain human organs, animals, young children, etc.), the user then goes back to their ISP to demand that they fix the problem.

If the ISP just points the proverbial finger again, then it's only natural for the user to wonder if they really want to keep dealing with an ISP that can't solve simple technical problems such as this by terminating spammers (the end result has been that the ISP either fixes the problem, or, far more often, the customer switches to a different ISP that does take the spam problem seriously).

Claiming that the blockage of an IP address is a "false positive" is an inaccurate way to explain what's actually happening, and that leaves users with the incorrect impression that blacklists are dysfunctional.  Calling it "listing/blocking known sources of spam" is factual, and clearly does not invite the wrong impression, but this is not as easy to say as the word "blacklist."

See also

[Home] [Profile] [Glossary] [Library] [Resources] [Tools] [FAQ] [Site map] [Contact us]

Copyright © Inter-Corporate Computer & Network Services, Inc.  All rights reserved.
All trademarks are the property of their respective owners.