Perspectives on Spamhaus's Dilemma

The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them — an order which Spamhaus ignored — is now considering ordering ICANN to pull Spamhaus's domain records. While Gadi Evron, whose blog posting is linked above, urges everyone to beat the judge with a clue stick, a guest writer on his blog counsels much greater restraint. Anti-spam lawyer Matthew Prince explains how Spamhaus got into its current pickle — apparently by following conflicting legal advice at two points in the process — and what they might have to do to get out. One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

Ghostbusters

[eldavojohn]

One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?

I'm reminded of the part in the Ghostbusters movie when the man from the EPA shows up and demands that they shut down the containment unit which houses all the ghosts since it's in violation of EPA rules.

Yeah, I know it's just fiction but it seems like this could be the same kind of thing.

Excerpt from the movie:
Dr. Ray Stantz: Everything was fine with our system until the power grid was shut off by dickless here.
Walter Peck: They caused an explosion!
Mayor: Is this true?
Dr. Peter Venkman: Yes it's true.
[pause]
Dr. Peter Venkman: This man has no dick.
Walter Peck: Jeez!
[Charges at Venkman]
Mayor: Break it up! Hey, break this up! Break it up!
Walter Peck: All right, all right, all right!
Dr. Peter Venkman: Well, that's what I heard!

I think the problem that the Ghostbusters faced in the movie was that the guy from the EPA was a prick and didn't bother doing any follow up or open a channel of communication with the Ghostbusters. Now, Spamhaus might be violating rules at the same time they provide the public a valuable service. Has the United State's judicial system attempted any lines of communication with them aside from a cease-and-desist letter threatening them with $11.7 million?

The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them...

Where does it say that e360insight is a spammer? I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org]. I think that's important. If e360insight is a spammer, I'm siding with Spamhaus. Since they have taken the roll of deciding who is spamming and who isn't, I think they could use more accountability [spamhaus.org] than what I find indicated on their website.

what pisses me off...

[cavtroop]

what pisses me off about this whole situation is that using the Spamhaus RBL is OPTIONAL, and initiated by the receiving servers. Nobody said you HAVE to use Spamhaus, people CHOOSE to.

Damn, judges really should be expected to have a clue when sitting in on a case...

Hopefully ICANN is rational

[realmolo]

I imagine that ICANN will say "Uh...no" if they actually do get that court order. I mean, ICANN is kind of evil, but I guarantee they hate spammers AT LEAST as much as everyone else.

Re:Ghostbusters

[n0dna]

"Has the United State's judicial system attempted any lines of communication with them aside from a cease-and-desist letter threatening them with $11.7 million?"

Yup, they would have allowed them to defend their actions in court. Spamhaus chose not to appear, and instead have a default judgement rendered aginst them.

ICANN abuse

[JonyEpsilon]

If I've ever heard a compelling argument for an independent ICANN, this is it!

Re:Ghostbusters

[eldavojohn]

Yup, they would have allowed them to defend their actions in court. Spamhaus chose not to appear, and instead have a default judgement rendered aginst them.

What court though? I mean, if some business that I slighted in China brings a lawsuit against me, I'm not going to fly half-way across the world to defend myself. If Spamhaus is offering the maintenance of this list for free, I doubt they make much money. Couple that with the fact that people choose to use the list, I don't blame Spamhaus for farting in their general direction.

The Q-Tip Solution...

[patrixmyth]

If you use cotton swabs, and I'm hoping that you do, then take a moment to read the package. It clearly states that they are not to be put into your ear, despite the fact that plainly that's the use that 90% of consumers make of them. This is plainly because of liability issues which arise from people who can't seem to figure out how far to stick them in their ear. Perhaps Spamhaus could adopt a similar defense by distributing the list with the explicit instructions that it is not intended to be used to block spam, especially in the U.S. and uber-especially in the region where this judge has authority. Just a thought, seems at least as effective as holding your ears and screaming "LA-LA-LA-LA" everytime the court tries to tell you what to do.

Jurisdiction

[chiller2]

Is this perhaps why there was pressure to separate the US government from ICANN? Maybe now we can see why.

US court
US spammer
UK RBL

Re:What'll happen if spamhaus disappears from DNS?

[Mixel]

So you can use the spamhaus' DNS server, querying it directly, using its ip.

Re:Ghostbusters

[ArsenneLupin]

I don't blame Spamhaus for farting in their general direction.

They just should be careful enough to widely publish their new .co.uk address before the hammer hits, so that we can reconfigure our MTA's in time.

Indeed, a fart is not really a fart if it doesn't smell...

Re:Ghostbusters

[n0dna]

I don't actually blame them either, but you do have to be prepared to accept the consequences of your actions.

If China had the ability to make your life miserable, you maybe ought to consider hiring a lawyer. You can't run something like Spamhaus without understanding that you are stepping directly on the spammer's bottom line, and you have to expect the need to defend yourself legally. Ignoring legal proceedings is an option, but not a defense. Had they chosen to fight it, they could have made the argument that their RBL is in fact optional. They chose not to. Now they are facing the consequences.

Just because you are not guilty of a crime doesn't mean you don't have to show up if you're indicted.

Re:Hopefully ICANN is rational

[maxwell demon]

Moreover, given that there are ambitions to get control away from ICANN to an internationally controlled entity, for ICANN it would essencially be suicide to follow such an order. Because it would deliver the perfect argument: A real world case causing huge damage to everyone, which would not have been possible if it were under international control.

Re:Perspectives

[dodobh]

Spamhaus method of fighting spam dont stops 3/4 of the spam of the world. Probably graylists, bayesian analisys, and other methods stops far more.

You obviously don't run a mail server with > 1 user. The sbl-xbl list stops ~ 80% of our spam. That's for a small email service provider, defending only about 75 million email addresses.

Bayesian doesn't stop spam. It just flags stuff as possible spam. Humans are worse filters than any software. If you have to look for false positives in a spam folder, don't even bother to filter stuff. That is just a waste of CPU cycles.

On the smaller servers I run, recipient validation handles ~ 50% of the spam, the sbl-xbl stops ~ 80% of the rest, dynamic IP blocks and hostname checks stop the remaining.

Re:Hopefully ICANN is rational

[cgenman]

It's a good thing that the management of ICANN was turned over to an international consortium to tend the domain name system in a broadly fair and equitable... wait, what? Crap. Nevermind.

Re:Um, the problem was that they switched horses..

[partenon]

"But the individuals affected by the order may be unable to set foot in the U.S. for the rest of their lives, even to change planes."

Is it supposed to be bad?

I propose a solution

[kimvette]

Publicly post the judge's and the plaintiff's email addresses publicly on every messageboard and blog known to man, sign them up for every known advertising list, freebie offer, etc. and extend this to their families as well.

You'll see the order rescinded and the spammer's case thrown out of court with prejudice.

I'm amazed

[belmolis]

I'm amazed at the knee-jerk reaction of so many people here. I hate spam as much as the next person, but claiming that the judge is ignorant, stupid, or malicious is ridiculous. The fact is, Spamhaus responded to the suit in the most inappropriate way imaginable, by acknowledging the federal court's jurisdiction and thereafter ignoring it. If you get a traffic ticket, even if it is unwarranted, what would you expect to happen if you turn up in court, then walk out and refuse to communicate any further with the court? What Spamhaus has done is the equivalent, only federal judges have a LOT more power. Spamhaus should either have challenged the court's jurisdiction from the outset or, having accepted it, complied with its orders and defended the suit.

Other than Spamhaus trying to correct the situation, I wonder if third parties might be able to submit an amicus brief to the court along the lines of: "Yes, Spamhaus behaved liked idiots, but cutting them off is not in the public interest.":

Re:Hopefully ICANN is rational

[Tony Hoyle]

The EU is ready to take over ICANN regionally already - they needed to to have a credible threat to get their own way last year, and make no mistake if they were pushed make the switch that will end ICANN (and probably end the idea of a single global entity controlling DNS.. it'll be down to regional ones, because China will want their own, the US will probably keep ICANN, etc..).

If ICANN start ordering UK websites down at the request of random US courts then that'll be a pretty hard push in that direction. Even the americans aren't that bloody stupid.

Re:OK, a correction

[belmolis]

No, sorry. You've ignored my argument. This is Spamhaus's fault, not the judge's. The judge was correct in ruling against Spamhaus since Spamhaus failed to defend the suit, and as a non-techie cannot be expected to realize what the consequences of taking down Spamhaus would be. Had Spamhaus behaved responsibly, they might well not have lost the suit, but if they had, they would have had the chance to explain to the judge the consequences of different remedies.

Re:Ghostbusters

[Binestar]

However, we, in the US, have this little thing called the first amendment. The right to free speech. What Spamhaus (or rather, the email server admin) does is interfere with end users ability to receive free speech.

This is an opt-in DNSBL. So your little "free speach" defense doesn't work.
 
Even considering SPAM to be free speach, it doesn't hold up. The people subscribing to the DNSBL are doing do with their own private property. Your right to free speach ends on my property, just as your right to swing your arms wherever you want ends at my nose.

Re:Ghostbusters

[petermgreen]

unplugging a first world countries tld would probablly result in ICANN very rapidly losing its control over the root of the DNS.

Re:Ghostbusters

[element-o.p.]

Nuts. I was agreeing with you until you finished quoting Ghostbusters

Now, Spamhaus might be violating rules

Whose rules is Spamhaus violating? The rules set by the State of Illinois? So freaking what? IIRC, spamhaus is based in England. If I were in Saudi Arabia, I could be sentenced to death because of my religious beliefs, but guess what--I'm not in Saudi Arabia, so I couldn't care less! Why is this any different? Spamhaus does not have a physical presence in Illinois, nor, for that matter, anywhere else in the United States, so why should they have to follow some stupid law that a non-technical, idiot politician in another country wrote?

I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org].

Again, I ask "why?"

Spamhaus doesn't block spam--they provide a database of IP addresses that mail server administrators can use at their own discretion to block suspected spam sources. So, if Spamhaus isn't blocking e360insight's mail servers (they aren't), then why should they have to "prove" that e360insight is a spammer? As I understand, Spamhaus essentially has a network of honeypot e-mail addresses. Anything hitting these addresses is, by definition, unsolicited, and therefore spam.

As far as accountability...well, if you are a mail server administrator, you decide to start using Spamhaus' database to make decisions about from whom you will accept e-mails, and you find that the amount of spam hitting your inbox has dropped by a factor of four, how much more accountability do you need? You always have the option of hard-coding an Allow rule into your mail server config files, if you find that you are missing e-mails from what you perceive to be legitimate sources.

The State of Illinois needs a reality check. They wrote a "Super DMCA" law a few years ago that essentially hamstrings IT security professionals (see http://www.hackbusters.net/ [hackbusters.net] for more details), and this is just another example of poor legislation victimizing the innocent.

Re:Ghostbusters

[Anonymous Coward]

No offense, but you obviously do not understand the Constitution.

First Point:

The First Amendment protects free speech from repression by THE GOVERNMENT, not a from repression by a private entity like Spamhaus.

Second Point:

Now if you were to argue that Spamhaus' rights were being abridged based upon the Judge in Illinois ruling, then you might have a point. From my perspective, this judge appears to be clueless in a number of aspects including the Constitution, his jurisdiction, and his understanding of the service Spamhaus provides.

Sigh.

Re:Chicken Little FTL

[dodobh]

92K messages in a maillog file? Over what time period? Is that a toy server?

My current estimates say that $ORK is blocking ~ 400 to 500 million messages a day using DNSBLs, about 80% of which is the sbl-xbl.

Re:Ghostbusters

[inviolet]

Spamhaus doesn't block spam--they provide a database of IP addresses that mail server administrators can use at their own discretion to block suspected spam sources. So, if Spamhaus isn't blocking e360insight's mail servers (they aren't), then why should they have to "prove" that e360insight is a spammer? As I understand, Spamhaus essentially has a network of honeypot e-mail addresses. Anything hitting these addresses is, by definition, unsolicited, and therefore spam.

You are right and I agree. Death to spammers.

However. The fact remains that spamhaus wields quite a bit of power. They have accumulated that power by means of the zillion admins who have opted-in. They are now wielding that power, and in so doing they have invited and legitimized a measure of public skepticism and scrutiny.

Even though everything about spamhaus is optional and consensual, the judge may be looking at the power angle, rather than the consent angle. All concentrations of power are suspect, and many jurists believe that they have an inherent right to intervene in the use of any concentration of power.

Once again, I'm all for spamhaus. I'm a little-L libertarian myself, and spamhaus is an ideal solution in my book. But suppose that 360insight is actually innocent . . .

Perspective from a damaged party

[Anonymous Brave Guy]

Let me put an alternative perspective to the AC e-mail security guy who wrote the parent post.

I am the IT officer for a local non-profit organisation, with a few thousand members. We run a mailing list, to provide announcements to those members. The list is opt-in (double opt-in to verify all addresses, in fact) and moderated, and everyone on it has explicitly asked to be there.

Our service provider has recently sent a notice to their announcements list (to which I subscribe) indicating that certain major names, including Hotmail and AOL, are no longer accepting mail from our provider. They don't even bounce it properly; they silently drop it. This is all done in the name of fighting spam, so they claim, because our service provider forwards a lot of spam onto them. (Our service provider forwards any mail received at a paying customer's address to any forwarding address requested by that customer, in fact.) The content of any given mail, and the specific people it's going from and to, are irrelevant to this blanket ban.

As a consequence of this, we now find that some of our members who use e-mail accounts at those hosts are not receiving mails they have explicitly asked for. Neither we, nor our members, nor our service provider is doing anything unreasonable. The only reason this system is broken is because of an arbitrary decision by a big name provider to throw their weight around, by blocking all incoming mail from a small provider (who are not the only ones being hit by this problem -- far from it, by the sounds of things), even if this goes against the explicit wishes of one of their own paying customers.

Now, you can rationalise that decision all you like as a big IT honcho, but the simple fact is that these organisations are screwing their own customers, and ultimately undermining the entire working of the Internet e-mail system, by being incompetent and not playing nice with others. Sooner or later, people are going to start missing really important messages as opposed to just convenient or entertaining ones, and those providers are going to learn a harsh lesson. I imagine a few small providers will start bringing anti-competition lawsuits if the big names carry on down their current road as well. But in the meantime, your approach sucks for your customers, it sucks for people working with your customers, and it sucks for other service providers working with you. It is an indefensible attack on the openness of the Internet, and you deserve to be shot down for it.

Free Speech by Spamhaus

[billstewart]

Sorry if this is troll bait, but...

• Spamhaus puts out a list of people they believe to be jerks.
• You can decide whether to use it or not.
• One of these jerks decided to sue Spamhaus to stop letting people know they were jerks.
• The jerks allege that telling everybody you're a jerk is "restraint of trade".
• Spamhaus isn't based in the US, so they don't think the court in Illinois has jurisdiction over them.
• If Spamhaus were to sue the jerks in a UK court, for something like libel, they could probably get a judgement - UK courts are at least as expansive about lawsuits against defendants anywhere in the world, and have a lower burden of proof on libel/slander suits than US courts do.
• By suing Spamhaus, in such a blatantly incorrect way, the alleged jerks have demonstrated that they *really are* jerks. I wouldn't do business with them, where "doing business" includes accepting email.

Re:Ghostbusters

[chickenandporn]

Imagine trying to tell the Ghostbusters that you're not a ghost. Now try it while they ignore your ghostly words since they don't talk to ghosts. Next, try it while they ignore your goulish prose since they don't talk to ghosts from which they're saving the world, the world which should give them praise and parades and icecream. Even if your prose is, well, poetic.

As a "spammer" in their eyes, and trying to cause them to reconsider, I was quickly changed from a supporter to someone who recognizes the futility of arguing with a Zealot.

Let me explain it for the Slashdot crowd: until impacted by DRM, DRM is perfectly great to you. Until Windows has a virus, it's a blissful day or so, and everything runs on it. So is the quality service you get from Spamhaus, but you don't understand until you get bitten. ...and I'm still not a Spammer, but don't bother trying to convince Spam-"we'll change our evidence to fit the crime"-haus

Re:Ghostbusters

[rudeboy1]

I call shenanigans on this. Spamhaus' list is a voluntary addition to an admin's arsenal. It's not like Spamhaus is some sort of government agency that just put their collective foot down and said company x is now considered a spammer. From a neutral footing, I don't see what law they've broken.
    Look at it another way. I don't like Circuit City. I think the people that work there are typically morons, and I encourage people to shop elsewhere. If these people take my advice, it is a voluntary decision. Am I legally actionable for expressing my opinion that Circuit City is not worth people's time and money? IANAL, but I certainly hope not. Am I in any way breaking the law if I express my opinion in a large enough forum (notice I said OPINION... in this analogy, were I to do anything else, such as spread rumors, or misinformation, it would be a misleading analogy as Spamhaus has done nothing to libel the company in question) that it affects Circuit City's bottom line? No. That would be a free speech issue. One could argue that Spamhaus' determination that this company is a spammer is nothing more than an exercise in free speech, and simple recommendation toward it's user base.
    This is another classic example of a company finding out it's way of doing business is being threatened by the changing winds, and trying to find a litigation solution rather thana new business model. I understand it from their perspective; it is easier to sue somebody than change the way you do business. However, one of two conclusions can be reached: 1)The litigating company is in fact a spammer, and the system works. Their lawsuit/injunction is simply a clever way for an immoral company to win out against those that might hurt their business, and as such should be fought and hopefully won on the grounds of simply exposing them for what they truly are. Or, 2)They are a legitimate company-a dolphin caught in the tuna net. In which case, they simply need to prove their legitimacy in court, Spamhaus takes them off their list, and the problem is solved.
    In either case the answer is not blind litigation, but due process. I think the fact that the company mounting the legal battle has tried these tactics suggests that there may be a mar on their legitimacy. That, or since Spamhaus didn't answer their earlier claims, this is a means to make them take notice. Hopefully that is all it is; a threat. Having their ICANN records pulled is a useful scare tactic, but if it actually happens, it sets a bad precedent for these sorts of cases. I can see the same thing happening with antivirus software. If a company whines loud enough (righteous or not) that they are legitimate, will they be able to successfully force a company like Norton to pull them off their list by sheer legal tactics? I hope not.

Re:This could be the end of U.S. DNS control

[russotto]

Quite a rant, but that's all it is.

1) The U.S. hasn't summoned Spamhaus to appear in court. According to the court documents posted so far, Spamhaus was never served with this lawsuit.

2) The U.S. so far hasn't shown any willingness to yank the site. Rather, there's a _proposed_ order from a Federal judge in the Northern District of Illinois which would yank the site. IANAL, but I know a court's powers to compel third parties are limited, and there might be an issue of that district's jurisdiction over ICAAN. Nothing has happened yet.

3) Taking ICAAN out of US hands solves nothing. Wherever the new independent organization is located, it will be subject to the court orders of that jurisdiction. Do you think Europe has no judges willing to write such orders?