Slashdot Mirror
MAPS RBL Challenged In Court Case
An Anonymous Coward sent in "Direct Magazine is carrying
the story
Yesmail
Gets Restraining Order Against MAPS Blacklist (curiously dated
July 17). YesMail has apparently obtained a restraining order preventing
MAPS
from entering it into its Real-time Black-hole List."
Company A is suing group B to prevent group B from adding company A to a list. Once you distill it that far, it is an obvious restraint on free speech. MAPS, as long as they are careful to show the reasons, has every right to put Yesmail on a list. Obviously, Yesmail would agree to be on a list of, say, the Red Herring top 100 internet companies, so they also have to be willing to be listed for their questionable practices.
I got stuck on this list for having an open relay. At first I was extremely pissed that this rogue group was preventing me from sending mail! Once I found the hole and fixed it, I called the phone number on their site and it was fixed within 15 minutes. The ONLY way you get on this list is if you are "nominated" by someone since they recieved spam that passed through your servers. Sure, it can be a hassle- but there's _no_ reason anyone should have an open relay. As a cursory check, I scan the headers of all the spam I get, and check it against the RBL. Invariably the servers are on the list already- sometimes they've been there for months!
I can see how some people might go as far as to take them to court for it, but that takes a lot longer than 15 minutes!
I hope Yesmail gets slapped with a huge 'frivolous lawsuit' charge, the assholes.
--
--
Victor Danilchenko
There is nothing at all wrong with an Open Relay in fact if we had less spammers there would probably be many more available for legitimate use. The problem is with the Spammers, I say go after them not the ISP's and others trying to provide relays for us to use.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
I don't see how the heck this can progress -- what restriction does a private company have on using another private company as a filtering list manager for their own private business?
This would also imply that someone listed on a censorware package could sue for exactly the same thing, which is presumably restraint of trade (since they talk about the adverse economic impact?) or possibly defamation (for listing them as "spammers")?
Once more, we've got an interesting techno-legal battle that will have much greater effects than I think we immediately forsee.
But if these guys win against MAPS, I'd suggest a quick suit against censorware makers under the same principles...
I'm an investigator. I followed a trail there.
Q.Tell me what the trail was.
Recursive: Adj. See Recursive.
Surely, MAPS included a "remove" address at the bottom of its email so that the company could just reply to have its email address removed from the list. And it's not like they have reason to sue, it says it's legal right in the email right under where it says "this is not spam and complies with US spamming regulations"
icqqm [ICQ:11952102]
MAPS are only as powerful as their subscribers make them. Any administrator signing up to MAPS RBL is saying, on behalf of all of their users, that they are happy to not recieve mail coming from any server listed on the RBL.
MAPS are not forcing this on anyone. People sign up to MAPS because we trust their judgement on what is and isn't mail abuse. If they start turning up too many false positives, people will unsubscribe from them as the number of complaints from users that can't recieve email from people they want to starts to exceed the number of complaints about spam. For example, many people avoid signing up to ORBS because they find their policy too cavalier. It's a self regulating system.
By signing up to the RBL, people are effectively saying "we don't want to recieve mail from you unless you comply with MAPS' policy. Deal with it."
The truer test of whether this case has any legs will come when MAPS has lawyers in court to defend it. Since it has an open invitation to be sued, one would presume that MAPS will defend itself.
From here: "Finally, don't waste our time with threats. We get all kinds of threats. If you intend to sue us, then get on with it. If you don't, then don't waste our time or yours telling us how actionable our activities are."
Second, they don't even go after people unless they have recieved complaints about them, and have investigated those complaints and found them to be valid. If they get an open relay reported to them, the first thing they do is verify it. If they get complaints of spamming, they check to see if there realy is a problem, and once again, they don't immediately drop them into the killfile, they discuss the matter with the person who has been accused, and try fix the problem if possible. And fixing the verification problem with a properly built mailing list program is easy if you're using something like MajorDomo, it's the default setting once you properly install it. The people who don't do things right are typically using spamware, or poorly configured systems, and they can get free help fixing it if they're willing to listen.
Unfortunately, there are some people out there who don't listen, don't care, or want to have something to fight about. After all, court fights make great publicity. I wonder how much yesmail.com's web trafic has gone up since they filed this lawsuit? Do you really think they're not profiting from the increased attention?
Okay. I want to see the lawyers talking about this. I don't want bored sysadmins who read a few Nolo Press DIY law books; I want the guys who do this for a living.
..."
"Thank you for contacting Web Legal Opinions. Please deposit $500 for your first hour
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
So Yesmail wants to "opt-out" of the RBL, huh?
:)
I can't believe the irony
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
You've got to be kidding. If there was no spammer ... hell if there was no robbers there would be no need for locks either.
Damn it, this open relay problem has been documented and well-known for years, I've had a mail server completely stuck while I was on vacation (yeah that's usually when that kind of things happen ...) because some fucking spammer was able to send thousands of messages a minute thanks to an open relay, and happened to use a domain I administrate as a fake return address ...
And in that case the RBL (which I use) was of no help since all I got was all the bounces ...
What gives you (or anybody else for that matter) to decide what mail should or should not be allowed?
You misunderstand, or misrepresent, what is going on.
A lot of people don't want to receive unsolicited commercial eamil. And a lot of ISPs and business sites don't want their resources used to forward it, or their employees distracted from doing work while deleting it.
MAPS publishes a list of sources of unsolicited email. ISPs, businesses, and individual users may chose to use this list to filter out mail they don't want to bother to read or forward.
Use of the list is strictly voluntary.
Having your email forwarded, on the other hand, is not a right. It is a voluntary service of whomever forwards it. If a site does not wish to forward unsolicited commercial email - or any other email - originating from you, that's that site's prerogative.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
A: First off, maps represents 3 types of blocking lists.
1: The RBL, which contains IP addresses of spammers
2: The DUL, which contains IP addresses of machines that should not be able to send mail to your server directly. Ie: a user at earthlink should always send mail to their mail server and then it should be routed to you. If they have a system that connects straight to you, it most likely is spam,
3: the RSS (relay spam stopper) that contains a list of open relays. This is a nice trick of spammers to send mail through someone else's machine and have them do the job of mailing everything out.
B. Getting your address.
Now, my take on the philosophy of MAPS, is that you should only receive what you elect to receive. ie: getting mail-bombed from 100's-1000's of companies just because you once posted to usenet without masquerading your e-mail address just should not happen. (This is not an exaggeration).
So, if you sign up for a newsletter, you receive the newsletter. Also, you should have a clear way on how to be removed from the newsletter. etc.
You also should have a choice in that they should not sell the e-mail addresses on the newsletter.
C: Legality, from the receiver's point of view
As to the legality of maps?
Personally, I like it.
Its 100% opt in, and you choose for yourself what list(s) you want to subscribe to, and away you go.
If you go to an ISP, you can usually find out very quickly if they subscribe to MAPS, and which particular lists.
D: Legality from the sender's point of view.
The basic idea, is that if you do nothing wrong, you have nothing to worry about.
To actually be listed on the RBL is not a slam dunk. You will be contacted more than once and you will have ample opportunity to make changes.
Ok so some of the changes may be considered completely rude by some, lets give examples:
1: the ability to unsubscribe yourself
2: The ability to make sure that only you sign yourself up, and not someone with a bogus e-mail address
3: Not to add users by a "buy 50million users on cdrom for $20" import utility.
4: if you are an ISP, not willing to do anything about people complaining you have spammers.
Usually, you can get by #4 by having a strong AUP against spam, and kicking user accounts that send UBE
E: Legal arguments
1: Restraint of trade?
Not in my opinion.
I consider and trust MAPS to be a meta-introducer. I want them to let me know who I should talk (receive e-mail from) to and who not to.
Its my/my companies/my ISP's choice, as its their machine.
2: Malicious
Not hardly, You will receive every chance not to make the RBL list.
The DUL list is usually contributed by the ISP themselves
the RSS is contributed by vitcims. Usually the Sysadmin of the victim's machine will ask for help to get it fixed, and maps will help do that.
Harly what I would consider malicious, when they help upgrade a victim's sendmail.
F: how to use it,
if you know how to make your own sendmail.mc insert these lines:
FEATURE(rbl)
FEATURE(rbl, `dul.maps.vix.com', `Dialup - see http://www.mail-abuse.org/dul/')d
nl
FEATURE(rbl, `relays.mail-abuse.org', `Open spam relay - see http://www.mail-abu
se.org/rss')dnl
and away you go.
-- C
There are several ways to send spam, for more information, look at the MAPS website.
One type of SPAM comes directly from a dial-up account to your ISP's mail-server. This type of spam can be prevented if your ISP uses the MAPS DUL (Dialup User List). The idea is that no-one should be using a dynamically assigned IP to send mail, they should forward through their ISP's mail-server. Spammers don't want to do this though, because their ISP's mail-server will keep a very detailed log the messages sent.
Many times spammers will find what is known as an open relay. An open relay is a system which is accepting mail from anywhere and sending mail to anywhere. In the old days (that is, a few years ago) that was common practice. Now that spammers abuse this, any system which is an open relay and has been known to have had spam sent through it and has been reported to MAPS will be placed into the MAPS RSS (Relay Spam Stopper). Again, you must encourage your ISP to use the RSS to filter mail. There is one drawback to the RSS though: it blocks ALL mail from an otherwise legitimate mail-server. However, if the sysadmin of that mail-server gets his act together and stops the open relay, the system will be immediately removed from the MAPS RSS. The sysadmin can even contact MAPS for help, and there are volunteers available to help with server configuration.
The final list is the RBL, which is the one that is being challenged. The RBL is very unlike the other two lists. The RBL exists to stop known spammers. By using the RBL, a sysadmin is really putting his/her trust in MAPS. Personally, I do use the RBL because it does help keep the spam problem down. To get on the RBL, there must be a repeated abuse shown. The reason MAPS wants to add yesmail to the RBL is because they are being bad net citizens by allowing anyone to enter anyones e-mail address to subscribe to one of yesmail's mailing lists. So basically, one of your friends (or enemies) could send them your address and you would start receiving "marketing materials" from them on a regular basis. It is then your responsibility to opt-out of the list that you didn't even opt-in to in the first place!
What MAPS would rather see is for them to send one and only one e-mail to the address that contains further instructions to verify that the e-mail should really be subscribed to the list. If the person who receives the e-mail actually wants to be subscribed, then it is only one extra step for him/her. If the person does not want the e-mail, he/she does not have to do anything because yesmail should never send further correspondence unless requested to again.
Those are the basic facts about what is going on. I am sure several people have submitted yesmail to the RBL. Obviously, there are plenty of MAPS RBL subscribers who want yesmail on the RBL. Note that your ISP must subscribe to the RBL to actually have the e-mail blocked.
Now, for those of you saying that you don't want your ISP to use the services of MAPS, I say, tough shit, take it up with them. Do not forget that it is your ISP's server space and you are merely leasing the rights to use it and have an e-mail account and accesss and so on. If you don't like them filtering by the MAPS lists, then either ask them specifically not to filter your mail (which can be done) or get another ISP. Personally, I think you are crazy if you don't want your mail filtered by the MAPS lists, but to each his own I guess.
Anyway, talk to your ISP about filtering using MAPS and see if they will do it. Mention that it does reduce the load on their server resources because they no longer have to store and transmit mail that you don't want to see anyway!!
IANAL, but my father is a judge, my cousin is a DA, another is an ex-cop, another is... well, you get the idea. My experience is practical, not professional, and I am not suggesting that this is in any way a substitute for real legal advice. That being said:
/.ers seem unaware of just how mercurial juries can be.
:)
/. readers. Instead, just remember what I said about judges; they hate being overturned, and they hate being humiliated.
:)
1. YOU CAN BE SUED FOR ANYTHING.
There are laws on the books which are meant to cut down or eliminate frivolous lawsuits, but judges rarely reprimand attorneys for wasting the court's time.
2. LAW REALLY DOESN'T MEAN ALL THAT MUCH.
As soon as the jury is seated, it's an entirely different ballgame. Juries occasionally follow the law with diligence and probity, and occasionally they completely buck the judge's counsel and do whateverthehelltheydamnwellplease.
In this instance, a jury wasn't seated--the reason why I bring it up is because many legal proceedings do involve juries, and most
3. TEMPORARY INJUNCTIONS ARE JUST THAT.
Temporary, and injunctions. Judges are prickly people, as a rule. Most of them are control freaks of such a high order as to dwarf absolutely any other profession out there--including doctors. There are two things which judges universally fear, though: one is being overturned on appeal, and the other is being humiliated.
If someone comes before a judge and says "Your Honor, this bad person over here is doing something which will cause substantial and irreparable harm unless you do something to help me right now", the judge has three choices:
* He can schedule a full hearing, and tell the aggrieved party "well, let's wait two or three months and just handle a full, permanent injunction hearing"
* He can execute summary judgment and declare that no such irreparable harm exists, and refuse to do anything
* He can issue a temporary injunction, and schedule a permanent injunction hearing for later.
... Remember: judges hate to be overturned on appeal and they hate to be humiliated. If the judge chooses the first or second option, that leaves him (a) free to be overturned, and (b) if the judge is wrong and irreparable harm does occur because the judge didn't issue an injunction, the judge will be publically humiliated.
Judges, therefore, overwhelmingly tend to be very lenient with temporary injunctions. Many of them claim that this leniency is in everyone's best interests, and it may well be--but I'm a cynic, and this colors my analysis.
4. TEMPORARY INJUNCTIONS ALWAYS EXPIRE.
This one is simple. Temporary injunctions always expire, and permanent injunctions last for as long as the Court (not the parties involved--at least, not necessarily) wants them to. In order to move from a temporary injunction to a permanent injunction, well--let's skip the procedural details, because it's likely not interesting to
This gives them extremely strong motivation to consider permanent injunctions very carefully. If they misstep on procedural or logical grounds, it's cause for overturn on appeal; and if they make the wrong decision and someone loses their shirt as a result, then the judge gets humiliated.
So judges tend to view permanent injunctions with a much more careful, and skeptical, eye than they do with temporary injunctions.
... But, as I said, I'm not a lawyer and I don't know beans about the legal system. You'd be a fool to think that this is anywhere near competent legal advice.
I've worked in ISP's before. The abuse queue at one of them (a very large one) jumped from an undercurrent of about 1000 outstanding items to over 1200 on the basis of one single spam incident. The ISP costs each abuse incident requiring action at $25 to reply and fix. Thus this one spam incident cost the ISP more than $5000 to manage and resolve, and that doesn't take into account the good will aspects. The bandwidth stolen from the ISP and the customer costs money as well, and to maintain a responsive system, most tier 1 ISP's have excess capacity. Spam is not really a big consumer of bandwidth unless you happen to be the sucker with an open relay, but the management costs are astronomical. In addition, of the twenty or so times I saw the results of abusive "customers" who bought $20 pre-paid internet accounts and injected several million messages per account before having it closed, the account costs this ISP many hundreds of dollars. The headers are all forged (who do you want to be today?), the recipients entirely unwilling. The mail administrators in one of the worst incidents worked until 2 am fixing this problem up. Does the spammer pay for this? I don't think so. If the local mail relays are full of unwanted messages from non-paying (or abusive) customers they cannot service the other 100,000+ customers legitimate traffic in a timely fashion. If they paid *all* the intervening ISPs (as if) for the full cost of their actions, and everyone opted in rather than the other way around, this would not be a major problem. It's not about free speech, but simply this: A is stopped from sending to C,D,E...n by B. A is stealing from C,D,E,..n's ISP and from C,D,E,..n, and from many intervening networks, and thus many managers and administrators do no like this loss, thus signing up for B's service. "A" does not pay for the privilege and they forge their identity. Why does "A" think they have a *right* to steal? UCE is theft of service. End of story.
Andrew van der Stock
Now flashback to MAPS. What if yesmail isn't a spammer. Because of the list, yesmail will lose customers, and a potentially large amount of money. I'm not saying that yesmail isn't a spammer, but if they can convince a jury that they aren't... Well that's grounds for libel.
-----------
"You can't shake the Devil's hand and say you're only kidding."
DISCLOSURE: Like about 50,000 legitimate, non-spamming businesses, one of the projects I work on uses Ibill. Some of my attitude towards the RBL comes from discussions I had with them after the RBL of Ibill cost my company about $6000 in a few days, and the RBL people had the gall to tell me that I should blame Ibill, as it was "their fault." This is analagous the kidnapper blaming the authorities when he shoots a hostage.
The change in the RBL over the past few years has been from actively fighting spam to fighting things that, in your words "contribute to a significant flow of spam." The problem, obviously, is that it's easy to point to almost anything and claim that it somehow contributes to spam, and to use that as a justification for pretty much any aggressive action.
Ibill is an excellent example. Yes, they allowed spammers to profit, and have typically been far too slow cancelling spammers' accounts. And yes, they seem to have some really, really nasty people working there. That Ed Cherry guy is particularly unpleasant.
But I dare say that the current, ongoing battle between Ibill and the RBL has a lot more to do with personal animosity and childish behavior on both sides than it does with stopping spam. And that, my friend, is very counter to the RBL charter.
If the RBL's criteria is "organizations which spammers use," why not go after federal express, and the banks where spammers' accounts are kept? How about ebay? Oops, they're a huge AboveNet client. Can't RBL them.
What about RBLing state legislatures that aren't moving fast enough enacting anti-spam laws? How about the US congress? They could surely do more to fight spam, and they are choosing not to. I say we get 'em! Do you see how ridiculous this is getting?
This "go after spam precursers" attitude is new to RBL in the past few years, and I for one don't like it. It's vigilanteism, and while it's satisfying in the short run, it sets a bad precedent and demonstrates a complete disregard for the rule of law.
(The usual counter-argument here is that spammers disregard the law, and therefore this kind of action is necessary. To which I say: emulating spammers to stop spam shows moral and ethical bankruptcy).
Blocking spam, yes. If the RBL simply blocked networks that were originating spam, I would put it back on the equipment I manage.
But going after third parties who do business with spammers is going too far. And getting into personal battles and acting unprofessionally is certainly right out.
-b
If I wanted a sig I would have filled in that stupid box.
The Mongrel Dogs Who Teach
>court in Illinois,
Okay... this is something that's bugged me in in a number of other stories here on
By what streach of the law, imagination, or simple arrogant presumption does an Illinois judge claim jurisdiction over people in California?!?!?!? Or vice versa, for that matter (MPAA's restraining order on 500 john does, many of which most certianly live outside CA comes to mind)?
Is this a *FEDERAL* judge, whose bench just happens to be in Illinois? Or does any old state judge have carte blanche to order around people outside their jurisdictions? Seems like MANY states would STRENOUSLY object to such a violation of what little sovereignity the states have left (Texas and Mass come to mind, for starters) And if the latter *IS* the case, why do we bother with jurisdictions at all?
Of course, it *IS* a common arrogance for our legal system to presume that it has domain outside its jurisdiction (certian OTHER DeCSS-related actions, in Norway, for example, come to mind).
I'm *SURE* that there are at least a FEW bona fide lawyers who read Slashdot. Could one of you PLEASE shed some enlightenment here?
john
Resistance is NOT futile!!!
Haiku:
I am not a drone.
Remove the collective if
Imagine all the people...
The fact is, the amount of porn spam I got dropped dramatically when IBill was forced to change their policy.
MAPS isn't about *blocking* spam. It's about *EDUCATION*.
Once, everyone thought it was excessive to add the hosting company for a web site to the RBL, unless the spam came from there. After all, they're not *sending* the spam, right?
Then we found out that, if you don't take down a spammer's page, the spammer will keep spamming. Forever. So, the page *has* to come down. So, now, if you host web pages for spammers, you can be listed.
Ibill was in the same situation. They chose to provide a service that was being abused. They chose to overlook the damage to *everyone else*, because it was a cash flow for them.
The RBL listing caused them to recognize the costs they were inflicting on everyone else.
There is no such thing as a "vigilante" in this context. We *are* the legitimate authorities, we sysadmins.
I am sorry that innocent people were affected by IBill's listing. However, if you want to blame someone, blame the people (Ed Cherry being the most obvious, of course) who decided that they *couldn't* be listed on the RBL, and who felt that millions of dollars a day of distributed damage to other networks wasn't *their* problem, even though they could stop it.
That's what it comes down to. If you can make someone stop spamming, and you don't, you're going to get listed.
Fair enough.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/