MAPS RBL Challenged In Court Case

An Anonymous Coward sent in "Direct Magazine is carrying the story Yesmail Gets Restraining Order Against MAPS Blacklist (curiously dated July 17). YesMail has apparently obtained a restraining order preventing MAPS from entering it into its Real-time Black-hole List."

MAPS RBL

[jCaT]

I got stuck on this list for having an open relay. At first I was extremely pissed that this rogue group was preventing me from sending mail! Once I found the hole and fixed it, I called the phone number on their site and it was fixed within 15 minutes. The ONLY way you get on this list is if you are "nominated" by someone since they recieved spam that passed through your servers. Sure, it can be a hassle- but there's _no_ reason anyone should have an open relay. As a cursory check, I scan the headers of all the spam I get, and check it against the RBL. Invariably the servers are on the list already- sometimes they've been there for months!

I can see how some people might go as far as to take them to court for it, but that takes a lot longer than 15 minutes!

MAPS are only as powerful as their subscribers

[pdw]

MAPS are only as powerful as their subscribers make them. Any administrator signing up to MAPS RBL is saying, on behalf of all of their users, that they are happy to not recieve mail coming from any server listed on the RBL.

MAPS are not forcing this on anyone. People sign up to MAPS because we trust their judgement on what is and isn't mail abuse. If they start turning up too many false positives, people will unsubscribe from them as the number of complaints from users that can't recieve email from people they want to starts to exceed the number of complaints about spam. For example, many people avoid signing up to ORBS because they find their policy too cavalier. It's a self regulating system.

By signing up to the RBL, people are effectively saying "we don't want to recieve mail from you unless you comply with MAPS' policy. Deal with it."

I like their attitude at MAPS

[John+Jorsett]

From here: "Finally, don't waste our time with threats. We get all kinds of threats. If you intend to sue us, then get on with it. If you don't, then don't waste our time or yours telling us how actionable our activities are."

Not quite.

[HappyHead]

First, and foremost, anyone who actually winds up on the list is there because they chose to be there. They chose to 'run their mail server as an open relay', they chose to 'run their buisness through spamming', or even they chose to 'run a mailing list that dosen't require a conformation for subscription'. Thing is, they get a whole MONTH warning ahead of time, and free assistance in fixing the problem if there is one. If they then CHOOSE not to fix the problem, then they are on the list, plain and simple.

Second, they don't even go after people unless they have recieved complaints about them, and have investigated those complaints and found them to be valid. If they get an open relay reported to them, the first thing they do is verify it. If they get complaints of spamming, they check to see if there realy is a problem, and once again, they don't immediately drop them into the killfile, they discuss the matter with the person who has been accused, and try fix the problem if possible. And fixing the verification problem with a properly built mailing list program is easy if you're using something like MajorDomo, it's the default setting once you properly install it. The people who don't do things right are typically using spamware, or poorly configured systems, and they can get free help fixing it if they're willing to listen.

Unfortunately, there are some people out there who don't listen, don't care, or want to have something to fight about. After all, court fights make great publicity. I wonder how much yesmail.com's web trafic has gone up since they filed this lawsuit? Do you really think they're not profiting from the increased attention?

Re:E-commerce

[Ungrounded+Lightning]

What gives you (or anybody else for that matter) to decide what mail should or should not be allowed?

You misunderstand, or misrepresent, what is going on.

A lot of people don't want to receive unsolicited commercial eamil. And a lot of ISPs and business sites don't want their resources used to forward it, or their employees distracted from doing work while deleting it.

MAPS publishes a list of sources of unsolicited email. ISPs, businesses, and individual users may chose to use this list to filter out mail they don't want to bother to read or forward.

Use of the list is strictly voluntary.

Having your email forwarded, on the other hand, is not a right. It is a voluntary service of whomever forwards it. If a site does not wish to forward unsolicited commercial email - or any other email - originating from you, that's that site's prerogative.

The types of SPAM and how MAPS works.

[Jimithing+DMB]

There are several ways to send spam, for more information, look at the MAPS website.

One type of SPAM comes directly from a dial-up account to your ISP's mail-server. This type of spam can be prevented if your ISP uses the MAPS DUL (Dialup User List). The idea is that no-one should be using a dynamically assigned IP to send mail, they should forward through their ISP's mail-server. Spammers don't want to do this though, because their ISP's mail-server will keep a very detailed log the messages sent.

Many times spammers will find what is known as an open relay. An open relay is a system which is accepting mail from anywhere and sending mail to anywhere. In the old days (that is, a few years ago) that was common practice. Now that spammers abuse this, any system which is an open relay and has been known to have had spam sent through it and has been reported to MAPS will be placed into the MAPS RSS (Relay Spam Stopper). Again, you must encourage your ISP to use the RSS to filter mail. There is one drawback to the RSS though: it blocks ALL mail from an otherwise legitimate mail-server. However, if the sysadmin of that mail-server gets his act together and stops the open relay, the system will be immediately removed from the MAPS RSS. The sysadmin can even contact MAPS for help, and there are volunteers available to help with server configuration.

The final list is the RBL, which is the one that is being challenged. The RBL is very unlike the other two lists. The RBL exists to stop known spammers. By using the RBL, a sysadmin is really putting his/her trust in MAPS. Personally, I do use the RBL because it does help keep the spam problem down. To get on the RBL, there must be a repeated abuse shown. The reason MAPS wants to add yesmail to the RBL is because they are being bad net citizens by allowing anyone to enter anyones e-mail address to subscribe to one of yesmail's mailing lists. So basically, one of your friends (or enemies) could send them your address and you would start receiving "marketing materials" from them on a regular basis. It is then your responsibility to opt-out of the list that you didn't even opt-in to in the first place!

What MAPS would rather see is for them to send one and only one e-mail to the address that contains further instructions to verify that the e-mail should really be subscribed to the list. If the person who receives the e-mail actually wants to be subscribed, then it is only one extra step for him/her. If the person does not want the e-mail, he/she does not have to do anything because yesmail should never send further correspondence unless requested to again.

Those are the basic facts about what is going on. I am sure several people have submitted yesmail to the RBL. Obviously, there are plenty of MAPS RBL subscribers who want yesmail on the RBL. Note that your ISP must subscribe to the RBL to actually have the e-mail blocked.

Now, for those of you saying that you don't want your ISP to use the services of MAPS, I say, tough shit, take it up with them. Do not forget that it is your ISP's server space and you are merely leasing the rights to use it and have an e-mail account and accesss and so on. If you don't like them filtering by the MAPS lists, then either ask them specifically not to filter your mail (which can be done) or get another ISP. Personally, I think you are crazy if you don't want your mail filtered by the MAPS lists, but to each his own I guess.

Anyway, talk to your ISP about filtering using MAPS and see if they will do it. Mention that it does reduce the load on their server resources because they no longer have to store and transmit mail that you don't want to see anyway!!

Re:Where's the /. reading lawyer?

[rjh]

IANAL, but my father is a judge, my cousin is a DA, another is an ex-cop, another is... well, you get the idea. My experience is practical, not professional, and I am not suggesting that this is in any way a substitute for real legal advice. That being said:

1. YOU CAN BE SUED FOR ANYTHING.

There are laws on the books which are meant to cut down or eliminate frivolous lawsuits, but judges rarely reprimand attorneys for wasting the court's time.

2. LAW REALLY DOESN'T MEAN ALL THAT MUCH.

As soon as the jury is seated, it's an entirely different ballgame. Juries occasionally follow the law with diligence and probity, and occasionally they completely buck the judge's counsel and do whateverthehelltheydamnwellplease.

In this instance, a jury wasn't seated--the reason why I bring it up is because many legal proceedings do involve juries, and most /.ers seem unaware of just how mercurial juries can be.

3. TEMPORARY INJUNCTIONS ARE JUST THAT.

Temporary, and injunctions. Judges are prickly people, as a rule. Most of them are control freaks of such a high order as to dwarf absolutely any other profession out there--including doctors. There are two things which judges universally fear, though: one is being overturned on appeal, and the other is being humiliated.

If someone comes before a judge and says "Your Honor, this bad person over here is doing something which will cause substantial and irreparable harm unless you do something to help me right now", the judge has three choices:

* He can schedule a full hearing, and tell the aggrieved party "well, let's wait two or three months and just handle a full, permanent injunction hearing"

* He can execute summary judgment and declare that no such irreparable harm exists, and refuse to do anything

* He can issue a temporary injunction, and schedule a permanent injunction hearing for later.

... Remember: judges hate to be overturned on appeal and they hate to be humiliated. If the judge chooses the first or second option, that leaves him (a) free to be overturned, and (b) if the judge is wrong and irreparable harm does occur because the judge didn't issue an injunction, the judge will be publically humiliated.

Judges, therefore, overwhelmingly tend to be very lenient with temporary injunctions. Many of them claim that this leniency is in everyone's best interests, and it may well be--but I'm a cynic, and this colors my analysis. :)

4. TEMPORARY INJUNCTIONS ALWAYS EXPIRE.

This one is simple. Temporary injunctions always expire, and permanent injunctions last for as long as the Court (not the parties involved--at least, not necessarily) wants them to. In order to move from a temporary injunction to a permanent injunction, well--let's skip the procedural details, because it's likely not interesting to /. readers. Instead, just remember what I said about judges; they hate being overturned, and they hate being humiliated.

This gives them extremely strong motivation to consider permanent injunctions very carefully. If they misstep on procedural or logical grounds, it's cause for overturn on appeal; and if they make the wrong decision and someone loses their shirt as a result, then the judge gets humiliated.

So judges tend to view permanent injunctions with a much more careful, and skeptical, eye than they do with temporary injunctions.

... But, as I said, I'm not a lawyer and I don't know beans about the legal system. You'd be a fool to think that this is anywhere near competent legal advice. :)

What's the problem? spammers are theft of service

[ajv]

I've worked in ISP's before. The abuse queue at one of them (a very large one) jumped from an undercurrent of about 1000 outstanding items to over 1200 on the basis of one single spam incident. The ISP costs each abuse incident requiring action at $25 to reply and fix. Thus this one spam incident cost the ISP more than $5000 to manage and resolve, and that doesn't take into account the good will aspects. The bandwidth stolen from the ISP and the customer costs money as well, and to maintain a responsive system, most tier 1 ISP's have excess capacity. Spam is not really a big consumer of bandwidth unless you happen to be the sucker with an open relay, but the management costs are astronomical. In addition, of the twenty or so times I saw the results of abusive "customers" who bought $20 pre-paid internet accounts and injected several million messages per account before having it closed, the account costs this ISP many hundreds of dollars. The headers are all forged (who do you want to be today?), the recipients entirely unwilling. The mail administrators in one of the worst incidents worked until 2 am fixing this problem up. Does the spammer pay for this? I don't think so. If the local mail relays are full of unwanted messages from non-paying (or abusive) customers they cannot service the other 100,000+ customers legitimate traffic in a timely fashion. If they paid *all* the intervening ISPs (as if) for the full cost of their actions, and everyone opted in rather than the other way around, this would not be a major problem. It's not about free speech, but simply this: A is stopped from sending to C,D,E...n by B. A is stealing from C,D,E,..n's ISP and from C,D,E,..n, and from many intervening networks, and thus many managers and administrators do no like this loss, thus signing up for B's service. "A" does not pay for the privilege and they forge their identity. Why does "A" think they have a *right* to steal? UCE is theft of service. End of story.

Re:The RBL is a scam.,..

[aiken_d]

DISCLOSURE: Like about 50,000 legitimate, non-spamming businesses, one of the projects I work on uses Ibill. Some of my attitude towards the RBL comes from discussions I had with them after the RBL of Ibill cost my company about $6000 in a few days, and the RBL people had the gall to tell me that I should blame Ibill, as it was "their fault." This is analagous the kidnapper blaming the authorities when he shoots a hostage.

The change in the RBL over the past few years has been from actively fighting spam to fighting things that, in your words "contribute to a significant flow of spam." The problem, obviously, is that it's easy to point to almost anything and claim that it somehow contributes to spam, and to use that as a justification for pretty much any aggressive action.

Ibill is an excellent example. Yes, they allowed spammers to profit, and have typically been far too slow cancelling spammers' accounts. And yes, they seem to have some really, really nasty people working there. That Ed Cherry guy is particularly unpleasant.

But I dare say that the current, ongoing battle between Ibill and the RBL has a lot more to do with personal animosity and childish behavior on both sides than it does with stopping spam. And that, my friend, is very counter to the RBL charter.

If the RBL's criteria is "organizations which spammers use," why not go after federal express, and the banks where spammers' accounts are kept? How about ebay? Oops, they're a huge AboveNet client. Can't RBL them.

What about RBLing state legislatures that aren't moving fast enough enacting anti-spam laws? How about the US congress? They could surely do more to fight spam, and they are choosing not to. I say we get 'em! Do you see how ridiculous this is getting?

This "go after spam precursers" attitude is new to RBL in the past few years, and I for one don't like it. It's vigilanteism, and while it's satisfying in the short run, it sets a bad precedent and demonstrates a complete disregard for the rule of law.

(The usual counter-argument here is that spammers disregard the law, and therefore this kind of action is necessary. To which I say: emulating spammers to stop spam shows moral and ethical bankruptcy).

Blocking spam, yes. If the RBL simply blocked networks that were originating spam, I would put it back on the equipment I manage.

But going after third parties who do business with spammers is going too far. And getting into personal battles and acting unprofessionally is certainly right out.

-b

Re:The RBL is a scam.,..

[seebs]

The fact is, the amount of porn spam I got dropped dramatically when IBill was forced to change their policy.

MAPS isn't about *blocking* spam. It's about *EDUCATION*.

Once, everyone thought it was excessive to add the hosting company for a web site to the RBL, unless the spam came from there. After all, they're not *sending* the spam, right?

Then we found out that, if you don't take down a spammer's page, the spammer will keep spamming. Forever. So, the page *has* to come down. So, now, if you host web pages for spammers, you can be listed.

Ibill was in the same situation. They chose to provide a service that was being abused. They chose to overlook the damage to *everyone else*, because it was a cash flow for them.

The RBL listing caused them to recognize the costs they were inflicting on everyone else.

There is no such thing as a "vigilante" in this context. We *are* the legitimate authorities, we sysadmins.

I am sorry that innocent people were affected by IBill's listing. However, if you want to blame someone, blame the people (Ed Cherry being the most obvious, of course) who decided that they *couldn't* be listed on the RBL, and who felt that millions of dollars a day of distributed damage to other networks wasn't *their* problem, even though they could stop it.

That's what it comes down to. If you can make someone stop spamming, and you don't, you're going to get listed.

Fair enough.