Perspectives on Spamhaus's Dilemma 420
The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them — an order which Spamhaus ignored — is now considering ordering ICANN to pull Spamhaus's domain records. While Gadi Evron, whose blog posting is linked above, urges everyone to beat the judge with a clue stick, a guest writer on his blog counsels much greater restraint. Anti-spam lawyer Matthew Prince explains how Spamhaus got into its current pickle — apparently by following conflicting legal advice at two points in the process — and what they might have to do to get out. One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?
Ghostbusters (Score:5, Insightful)
Yeah, I know it's just fiction but it seems like this could be the same kind of thing.
Excerpt from the movie:
Dr. Ray Stantz: Everything was fine with our system until the power grid was shut off by dickless here.
Walter Peck: They caused an explosion!
Mayor: Is this true?
Dr. Peter Venkman: Yes it's true.
[pause]
Dr. Peter Venkman: This man has no dick.
Walter Peck: Jeez!
[Charges at Venkman]
Mayor: Break it up! Hey, break this up! Break it up!
Walter Peck: All right, all right, all right!
Dr. Peter Venkman: Well, that's what I heard!
I think the problem that the Ghostbusters faced in the movie was that the guy from the EPA was a prick and didn't bother doing any follow up or open a channel of communication with the Ghostbusters. Now, Spamhaus might be violating rules at the same time they provide the public a valuable service. Has the United State's judicial system attempted any lines of communication with them aside from a cease-and-desist letter threatening them with $11.7 million?
Where does it say that e360insight is a spammer? I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org]. I think that's important. If e360insight is a spammer, I'm siding with Spamhaus. Since they have taken the roll of deciding who is spamming and who isn't, I think they could use more accountability [spamhaus.org] than what I find indicated on their website.
what pisses me off... (Score:5, Insightful)
Damn, judges really should be expected to have a clue when sitting in on a case...
Hopefully ICANN is rational (Score:4, Insightful)
Re:Ghostbusters (Score:2, Insightful)
Yup, they would have allowed them to defend their actions in court. Spamhaus chose not to appear, and instead have a default judgement rendered aginst them.
ICANN abuse (Score:4, Insightful)
Re:Ghostbusters (Score:5, Insightful)
The Q-Tip Solution... (Score:5, Insightful)
Jurisdiction (Score:5, Insightful)
US court
US spammer
UK RBL
Re:What'll happen if spamhaus disappears from DNS? (Score:2, Insightful)
Re:Ghostbusters (Score:5, Insightful)
They just should be careful enough to widely publish their new .co.uk address before the hammer hits, so that we can reconfigure our MTA's in time.
Indeed, a fart is not really a fart if it doesn't smell...
Re:Ghostbusters (Score:2, Insightful)
If China had the ability to make your life miserable, you maybe ought to consider hiring a lawyer. You can't run something like Spamhaus without understanding that you are stepping directly on the spammer's bottom line, and you have to expect the need to defend yourself legally. Ignoring legal proceedings is an option, but not a defense. Had they chosen to fight it, they could have made the argument that their RBL is in fact optional. They chose not to. Now they are facing the consequences.
Just because you are not guilty of a crime doesn't mean you don't have to show up if you're indicted.
Re:Hopefully ICANN is rational (Score:5, Insightful)
Re:Perspectives (Score:5, Insightful)
You obviously don't run a mail server with > 1 user. The sbl-xbl list stops ~ 80% of our spam. That's for a small email service provider, defending only about 75 million email addresses.
Bayesian doesn't stop spam. It just flags stuff as possible spam. Humans are worse filters than any software. If you have to look for false positives in a spam folder, don't even bother to filter stuff. That is just a waste of CPU cycles.
On the smaller servers I run, recipient validation handles ~ 50% of the spam, the sbl-xbl stops ~ 80% of the rest, dynamic IP blocks and hostname checks stop the remaining.
Re:Hopefully ICANN is rational (Score:4, Insightful)
Re:Um, the problem was that they switched horses.. (Score:2, Insightful)
Is it supposed to be bad?
I propose a solution (Score:2, Insightful)
You'll see the order rescinded and the spammer's case thrown out of court with prejudice.
I'm amazed (Score:5, Insightful)
I'm amazed at the knee-jerk reaction of so many people here. I hate spam as much as the next person, but claiming that the judge is ignorant, stupid, or malicious is ridiculous. The fact is, Spamhaus responded to the suit in the most inappropriate way imaginable, by acknowledging the federal court's jurisdiction and thereafter ignoring it. If you get a traffic ticket, even if it is unwarranted, what would you expect to happen if you turn up in court, then walk out and refuse to communicate any further with the court? What Spamhaus has done is the equivalent, only federal judges have a LOT more power. Spamhaus should either have challenged the court's jurisdiction from the outset or, having accepted it, complied with its orders and defended the suit.
Other than Spamhaus trying to correct the situation, I wonder if third parties might be able to submit an amicus brief to the court along the lines of: "Yes, Spamhaus behaved liked idiots, but cutting them off is not in the public interest.":
Re:Hopefully ICANN is rational (Score:5, Insightful)
If ICANN start ordering UK websites down at the request of random US courts then that'll be a pretty hard push in that direction. Even the americans aren't that bloody stupid.
Re:OK, a correction (Score:3, Insightful)
No, sorry. You've ignored my argument. This is Spamhaus's fault, not the judge's. The judge was correct in ruling against Spamhaus since Spamhaus failed to defend the suit, and as a non-techie cannot be expected to realize what the consequences of taking down Spamhaus would be. Had Spamhaus behaved responsibly, they might well not have lost the suit, but if they had, they would have had the chance to explain to the judge the consequences of different remedies.
Re:Ghostbusters (Score:4, Insightful)
This is an opt-in DNSBL. So your little "free speach" defense doesn't work.
Even considering SPAM to be free speach, it doesn't hold up. The people subscribing to the DNSBL are doing do with their own private property. Your right to free speach ends on my property, just as your right to swing your arms wherever you want ends at my nose.
Re:Ghostbusters (Score:3, Insightful)
Re:Ghostbusters (Score:2, Insightful)
Whose rules is Spamhaus violating? The rules set by the State of Illinois? So freaking what? IIRC, spamhaus is based in England. If I were in Saudi Arabia, I could be sentenced to death because of my religious beliefs, but guess what--I'm not in Saudi Arabia, so I couldn't care less! Why is this any different? Spamhaus does not have a physical presence in Illinois, nor, for that matter, anywhere else in the United States, so why should they have to follow some stupid law that a non-technical, idiot politician in another country wrote?
Again, I ask "why?"
Spamhaus doesn't block spam--they provide a database of IP addresses that mail server administrators can use at their own discretion to block suspected spam sources. So, if Spamhaus isn't blocking e360insight's mail servers (they aren't), then why should they have to "prove" that e360insight is a spammer? As I understand, Spamhaus essentially has a network of honeypot e-mail addresses. Anything hitting these addresses is, by definition, unsolicited, and therefore spam.
As far as accountability...well, if you are a mail server administrator, you decide to start using Spamhaus' database to make decisions about from whom you will accept e-mails, and you find that the amount of spam hitting your inbox has dropped by a factor of four, how much more accountability do you need? You always have the option of hard-coding an Allow rule into your mail server config files, if you find that you are missing e-mails from what you perceive to be legitimate sources.
The State of Illinois needs a reality check. They wrote a "Super DMCA" law a few years ago that essentially hamstrings IT security professionals (see http://www.hackbusters.net/ [hackbusters.net] for more details), and this is just another example of poor legislation victimizing the innocent.
Re:Ghostbusters (Score:2, Insightful)
First Point:
The First Amendment protects free speech from repression by THE GOVERNMENT, not a from repression by a private entity like Spamhaus.
Second Point:
Now if you were to argue that Spamhaus' rights were being abridged based upon the Judge in Illinois ruling, then you might have a point. From my perspective, this judge appears to be clueless in a number of aspects including the Constitution, his jurisdiction, and his understanding of the service Spamhaus provides.
Sigh.
Re:Chicken Little FTL (Score:4, Insightful)
My current estimates say that $ORK is blocking ~ 400 to 500 million messages a day using DNSBLs, about 80% of which is the sbl-xbl.
Re:Ghostbusters (Score:3, Insightful)
You are right and I agree. Death to spammers.
However. The fact remains that spamhaus wields quite a bit of power. They have accumulated that power by means of the zillion admins who have opted-in. They are now wielding that power, and in so doing they have invited and legitimized a measure of public skepticism and scrutiny.
Even though everything about spamhaus is optional and consensual, the judge may be looking at the power angle, rather than the consent angle. All concentrations of power are suspect, and many jurists believe that they have an inherent right to intervene in the use of any concentration of power.
Once again, I'm all for spamhaus. I'm a little-L libertarian myself, and spamhaus is an ideal solution in my book. But suppose that 360insight is actually innocent . . .
Perspective from a damaged party (Score:5, Insightful)
Let me put an alternative perspective to the AC e-mail security guy who wrote the parent post.
I am the IT officer for a local non-profit organisation, with a few thousand members. We run a mailing list, to provide announcements to those members. The list is opt-in (double opt-in to verify all addresses, in fact) and moderated, and everyone on it has explicitly asked to be there.
Our service provider has recently sent a notice to their announcements list (to which I subscribe) indicating that certain major names, including Hotmail and AOL, are no longer accepting mail from our provider. They don't even bounce it properly; they silently drop it. This is all done in the name of fighting spam, so they claim, because our service provider forwards a lot of spam onto them. (Our service provider forwards any mail received at a paying customer's address to any forwarding address requested by that customer, in fact.) The content of any given mail, and the specific people it's going from and to, are irrelevant to this blanket ban.
As a consequence of this, we now find that some of our members who use e-mail accounts at those hosts are not receiving mails they have explicitly asked for. Neither we, nor our members, nor our service provider is doing anything unreasonable. The only reason this system is broken is because of an arbitrary decision by a big name provider to throw their weight around, by blocking all incoming mail from a small provider (who are not the only ones being hit by this problem -- far from it, by the sounds of things), even if this goes against the explicit wishes of one of their own paying customers.
Now, you can rationalise that decision all you like as a big IT honcho, but the simple fact is that these organisations are screwing their own customers, and ultimately undermining the entire working of the Internet e-mail system, by being incompetent and not playing nice with others. Sooner or later, people are going to start missing really important messages as opposed to just convenient or entertaining ones, and those providers are going to learn a harsh lesson. I imagine a few small providers will start bringing anti-competition lawsuits if the big names carry on down their current road as well. But in the meantime, your approach sucks for your customers, it sucks for people working with your customers, and it sucks for other service providers working with you. It is an indefensible attack on the openness of the Internet, and you deserve to be shot down for it.
Free Speech by Spamhaus (Score:2, Insightful)
Re:Ghostbusters (Score:2, Insightful)
As a "spammer" in their eyes, and trying to cause them to reconsider, I was quickly changed from a supporter to someone who recognizes the futility of arguing with a Zealot.
Let me explain it for the Slashdot crowd: until impacted by DRM, DRM is perfectly great to you. Until Windows has a virus, it's a blissful day or so, and everything runs on it. So is the quality service you get from Spamhaus, but you don't understand until you get bitten.
Re:Ghostbusters (Score:2, Insightful)
Look at it another way. I don't like Circuit City. I think the people that work there are typically morons, and I encourage people to shop elsewhere. If these people take my advice, it is a voluntary decision. Am I legally actionable for expressing my opinion that Circuit City is not worth people's time and money? IANAL, but I certainly hope not. Am I in any way breaking the law if I express my opinion in a large enough forum (notice I said OPINION... in this analogy, were I to do anything else, such as spread rumors, or misinformation, it would be a misleading analogy as Spamhaus has done nothing to libel the company in question) that it affects Circuit City's bottom line? No. That would be a free speech issue. One could argue that Spamhaus' determination that this company is a spammer is nothing more than an exercise in free speech, and simple recommendation toward it's user base.
This is another classic example of a company finding out it's way of doing business is being threatened by the changing winds, and trying to find a litigation solution rather thana new business model. I understand it from their perspective; it is easier to sue somebody than change the way you do business. However, one of two conclusions can be reached: 1)The litigating company is in fact a spammer, and the system works. Their lawsuit/injunction is simply a clever way for an immoral company to win out against those that might hurt their business, and as such should be fought and hopefully won on the grounds of simply exposing them for what they truly are. Or, 2)They are a legitimate company-a dolphin caught in the tuna net. In which case, they simply need to prove their legitimacy in court, Spamhaus takes them off their list, and the problem is solved.
In either case the answer is not blind litigation, but due process. I think the fact that the company mounting the legal battle has tried these tactics suggests that there may be a mar on their legitimacy. That, or since Spamhaus didn't answer their earlier claims, this is a means to make them take notice. Hopefully that is all it is; a threat. Having their ICANN records pulled is a useful scare tactic, but if it actually happens, it sets a bad precedent for these sorts of cases. I can see the same thing happening with antivirus software. If a company whines loud enough (righteous or not) that they are legitimate, will they be able to successfully force a company like Norton to pull them off their list by sheer legal tactics? I hope not.
Re:This could be the end of U.S. DNS control (Score:3, Insightful)
1) The U.S. hasn't summoned Spamhaus to appear in court. According to the court documents posted so far, Spamhaus was never served with this lawsuit.
2) The U.S. so far hasn't shown any willingness to yank the site. Rather, there's a _proposed_ order from a Federal judge in the Northern District of Illinois which would yank the site. IANAL, but I know a court's powers to compel third parties are limited, and there might be an issue of that district's jurisdiction over ICAAN. Nothing has happened yet.
3) Taking ICAAN out of US hands solves nothing. Wherever the new independent organization is located, it will be subject to the court orders of that jurisdiction. Do you think Europe has no judges willing to write such orders?