GMX's conclusion—namely to warn against using blacklists—is pretty stupid. The correct approach would simply be to close the hole, and then there would be no problems with blacklists. And ORDB isn't really problematic—you can start your own test anew and if it goes well, you get removed from the lists. And for anything more complex, there's a contact form.
In any case, there was a concrete reason why GMX ended up in this situation—using sender addresses as the sole qualification criterion for permissions is nonsense, since they can be forged arbitrarily.
At heise online news there's the original article.