Spamhaus Responds To Spammers' Lawsuit

ShaiHulud-23 writes "A suit was recently filed by EMarketersAmerica.org, a fledgling secret organization of spammers, against the Spamhaus Project, (and other anti-spam sites) seeking to prevent the publication of the anonymous plaintiffs' IP addresses in the Spamhaus Block List (SBL). The suit requested a response from the named defendants, and Spamhaus director Steve Linford has provided one, dismantling the spammers' case point by point."

IANAL...

[Bendy+Chief]

Someone please, please tell me there are perjury-charge meriting falsehoods in the documents filed by the spammers. The claims that Spamhaus is a commercial organization and is maliciously blocking traffic are particularly suspicious.

After all, they got Capone for income tax.

That's nice...

[Hilleh]

No really, that's great. I'm happy for all you guys. Biiiiiiig group hug? Everybody feel better that we're fighting the evil, evil spam now? Okay, good.

Seriously, I hate having my inbox clogged up as much as the next guy, but wake me up when something actually HAPPENS. I'm sick of hearing the two sides verbally piss on each other, I think we can all agree that's been done to death. How this rehashing of the same old crap is newsworthy to anyone is beyond me. Different face, same words.

Yet Another Solution to Spam

[ceswiedler]

I think it's inevitable...

Since it's impossible to verify the actual sender of any email, we need to be stricter about validating the server who sent it (most recently). AOL and MSN and the large corporations will eventually ban all email not coming from a small (< 100 domains) set of 'trusted hosts'. This will hurt small companies and small ISPs; the answer is that they will have to route their mail through a trusted host (or through someone else, who in turn...). These trusted hosts will become something like (and possibly run by) Verisign and other CAs. The small senders will have to pay for the authentication the trusted host provides (which they will pass on to their customers). This is already something like what ISPs do, when they refuse to forward SMTP mail except from their own block of IP addresses.

If a trusted host allows spam to be sent through it (on a large enough scale), then it is in danger of losing its 'trusted' status. Unless of course, it acknowledges its spammy status and pays (bribes?) the other trusted hosts to allow it to remain. The end result will be that spammers will have to pay (considerably) for the privilege of sending spam through a trusted host. Normal users will have to pay (a small amount) for the privilege of sending non-spam through a trusted host.

This isn't a radical idea, it's simply whitelists taken to their logical, structured conclusion.

Re:Yet Another Solution to Spam

[amuro98]

Some places do, but that won't catch a lot of spam.

I get a lot of spam (and legit mail) that doesn't include a domain name.

I get a lot of spam from malconfigured mail/proxy servers, or from compromised, unsecured machines elsewhere on the network. In these cases, the IP# really does match the domain that sent the mail, but the content is 100% spam.

I guess you *COULD* configure your mailserver to reject email from IP#s that aren't listed as mailservers for that domain according to their DNS records...but again, domains running malconfigured mailservers (like the country of korea is doing), or those domains that deliberately use fake/munged DNS information will still get their spam through.

In short, there is no single rule to detect spam 100% of the time with no false positives. The best system I've seen is SpamAssasain which can be configured to use the SBL, SPEWS, or other blacklists, and uses a series of configurable rules to assign a "weight" to each message. Even then, you'd be suprised at how legitimate, innocent mail will get such a high weight sometimes.

Can anyone answer me this?

[Sandman1971]

I've always wondered about this. Excuse my possible ignorance, but I'm from Canada where the legal system is different than the States.

How can spammers sue anti-spam list maintainers? RBLs are purely voluntary. Companies/ISPs aren't forced by law to use RBLs. They implement RBLs out of their own volition (hopefully after doing a bit of research of the RBL in question).

I can see a point of a non-spammer is accidentaly added to the list and the RBL company refuses to remove the 'offending' company. But in this case, these are known spammers. They don't deny that they send out spam. It just doesn't make any sense. The spammers should be charged with wasting the court's time.

Re:Can anyone answer me this?

[amuro98]

The lists maintained by SPEWS, SBL, etc. are little more than opinions saying I think the following ISPs are irresponsible and/or are harboring spammers..."

The fact that admins of domains can then use that information to allow their mailserver(s) to allow/reject mail from those domains is a separate matter.

There are then services, like Brightmail, which provide filtered email services to end users or ISPs. Brightmail's website will provide you with details on what they use for filtering, be it SPEWS, SBL, something else, or (most likely) a combination of all of the above.)

At any rate, organizations like SPEWS and SBL only provide the data. They do not implement it. As an ISP, your only legal recourse for being blocked due to a listing would be to go after each individual ISP that is blocking you. Even then, unless you had a contract with that ISP saying they MUST accept all mail from your domain, there's not a whole lot you can do. Laws vary from place to place, but the concept of "private property" seems pretty universal - and that's what every domain, and ISP network is - PRIVATE PROPERTY. No domain anywhere is *required* to accept mail from all of the internet.

Most lists provide documentation on their listing and delisting policies. This is both for admins wishing to use the list (do they agree with the criteria), as well as for admins wondering what happend to get them listed in the first place.

As for your employer's situation, getting onto a list usually occurs for the following reasons:

* Signing up of a spammer who's so infamous, that he and the poor sucker of an ISP that signed him up are immediatly blocked as a preventative measure. (ie. it's not a matter of IF he'll spam...)

* Preceived slack/slowness/cluelessness of your employer's abuse desk. This doesn't mean you have to have your abuse desk write personal responses to each and every person who sends a complaint...just have them do their job, and eliminate your misbehaving customer.

No reasonable person is going to expect instantaneous action, either. I think 2-3 days (TOPS) should be enough to deal with most cases, even with a 1% spammer infestation. Again, most people aren't going to expect a personal reply. Not getting the same spam from your customer is usually good enough. (and will keep you off the lists!)

Finally, you might want to look into proactively discouraging spammers from signing up by creating a new clause in your customers' contracts stating that if the account is terminated due to spam, you will charge the customer a clean up fee (usually $500-$2000.) ISPs that have enacted such a clause see the spam emanating from them drop off quickly - and hey, if someone is STILL stupid enough to spam, use the money to throw a beer bust. :)

Seriously though, if your abuse desk does their job in a timely manner, you shouldn't have any problems with listing services.

Re:UK in American courts?

[CaptainCarrot]

How do you get an American court to have jurisdiction over a company that does not sell products to US consumers - since it does not sell anything - and does not have any divisions in the US?

You don't. That's why the plaintiff had to lie about the Spamhaus' and Steve Linford's whereabouts, about US residents being principals in Spamhaus, and to falsely suggest that it might have a US office. Otherwise the suit would be thrown out at as soon as it landed on a judge's desk.

Re:These guys have no shame

[Cramer]

These people piss me off...

Billion dollar industry... blah, blah, freakin' blah. Prove the damned numbers. Unlike RIAA and MPAA, no one is going to let spammers make up their own balance sheets. There are numerous reports world wide giving hard proof of the costs brought about by all the stupid spammers. The only people who stand to be finacially injured and unemployed (and unemployable after a background check) are the asses sending all the spam.

I'll see their billions and raise by trillions -- the costs of software development and administrator headaches addressing the problem of spam, software development and administrative overhead to block loopholes in internet protocols, ever increasing server and bandwidth needs to move, process, and store all this crap... SPAM is a very expensive problem with the burden everywhere but the spammer.

Laws are useless unless swiftly and strictly enforced. Speeding is illegal, but that hasn't made much of a dent.

Tactical mistake - Description of SBL

[billstewart]

I'm not a lawyer, and I'm not sure whether Steve's "response" is just a public statement or is a document that's been submitted to the court, and I'm not going to speculate on whether he should or should not use any particular form of response since he's asserting that he's not under their jurisdiction. Having said that, howerver:

Steve's response is very clear on the point that the SBL doesn't block the transmission of any messages, but he's fuzzy on whether it blocks the reception - in some places he says it does, while in other places he talks about the recipient blocking them. I thought that the SBL is implemented in a way that the user's email software does the blocking, after checking the site's status with the SBL. It's a potentially important difference - not so much for Steve or Spamhaus (because of the jurisdictional issues) but for the US plaintiffs. It shouldn't be - the recipient has every right to hire a blocking service to block spam for them, even if the one they've chosen to use charges no money - but it could make a difference to a jury or to a really clueless judge.

Spam the spammer?

Wasnt there some idea not so long ago to use the spammers representative email address/street address as 'opt-in' info for practically every known form of junk mail on the planet? I wonder what some of those same crazy people will do this time?

Re:Answer to spam?

[sik+puppy]

better yet. just state that anyone who kills any of the major spammers will be given a full pardon for their act of public service.

You think cockroaches scatter fast when the lights are turned on? Think how fast the spammers will scatter when its open season.

This may be borderline flamebait, but since nothing else has worked to solve the spam problem.

Re:Sue for anything

[Ironica]

You can sue for anything, really you can.

You should be allowed to sue for anything.
Who should judge what is worthy? A judge of course, nobody else should be allowed to make the decision if the case should proceed.

I don't see a better solution.

An excellent point, really. The problem is, it depends on a certain threshold amount of personal ethics and judgement, which we seem to have slowly sloughed off here in the US. You should be *able* to sue for anything, but you should not automatically come up with a lawsuit every time the world inconveniences you or takes away your favorite toy. Unfortunately, our legal system runs on dollars, not sense. It's not corrupt, really; it's just big and complicated (like a Hummer?), and the people who can give it enough fuel to get mileage out of it are those with lots of cash (yeah, like a Hummer). Meanwhile, there's thousands of "reasonable" lawsuits every day that never get as far as a filing, because people don't have the time and/or money to deal with it.

There's a lawyer in Downtown Los Angeles named Nancy Mintie, who has been practicing for 24 years. She has never lost a case. Seems amazing on the face of it... but on a closer look, she does nothing but pro bono legal services for homeless and poor people. There are so many people down there who are being horribly exploited and abused, so there's tons of very solid cases to work with. You walk into a court room and tell them that a landlord has to do something about kids getting chewed on by rats in their sleep, you don't have much trouble at all. It's the big bucks lawsuits that are touch-and-go, because they often don't have a solid foundation to rest on.

I've been trying to come up with a better solution, but really, how could you feasibly socialize the legal system? Universal Health Care is a cinch in comparison. After all, if the guy across the street has a better doctor than me, it doesn't mean he can take years away from my life. But if he's got a better lawyer, he can sue me for all I'm worth, and it may not matter if he has a better case than I do... as long as he has better representation.

NO Joke!

Actually, what you talk about isn't so funny. Well maybe to some people.

**violence is bad, these are just thoughts, don't enact them**

I am thinking to myself, when is some average joe going to snap, and go on a rampage and kill a bunch of people at one of these spamming companies? Or, will a new Ted Kazynski (sp?) emerge and start mail bombing (err, real mail) the offices of these spammers? I think if it does happen, that there would be much sympathy for the defendent, eventhough it is a horrible thing to do.

But I do predict that it will happen. Just like no sports team has entirely died on an airplane accident, at some point it will happen. So to will there be a time when some average joe goes nuts and mail bombs the email spammers, the RI/MPAA, or even Microsoft.

Don't these entities realize that their actions might piss people off so much that such a catastrophy might happen? If I was head of these organizations, I'd be concerned.

**violence is bad, these are just thoughts, don't enact them**

Re:Spammers are suing the wrong people

[aborchers]

ISPs are private businesses and are not required, unless their contracts stipulate so, to accept mail from every domain or IP address on the Internet, so where is the case against them?

Then again, making such a defense might endanger the "common carrier" claim that a lot of ISPs make to avoid legal liability for what goes on on their network.

At any rate, as long as spam-blocking is an optional service offered to users, then the receivers can be responsible for rejecting the mail, and I can't imagine even the current US courts ruling that consumers are required to accept unwanted commercial spew (unless of course its in the context of some otherwise offered service such as ad-supported free email accounts).

For what is worth...

[NomadPgmr]

I wonder if ValueWeb knows that they are hosting a run by multiple spammers with the intent of promoting spam. This is in violation of #9 in their AUP. I wonder if they are aware of this??

PING emarketersamerica.org (64.70.171.85)

whois 64.70.171.85@whois.arin.net
[whois.arin.net]

OrgName: CyberGate, Inc.
OrgID: CYBG
Address: 3250 W. Commercial Blvd. Suite 200
City: Ft. Lauderdale
StateProv: FL
PostalCode: 33309
Country: US

NetRange: 64.70.128.0 - 64.70.255.255
CIDR: 64.70.128.0/17
NetName: CYBERGATE-1
NetHandle: NET-64-70-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS.VALUEWEB.NET
NameServer: NS2.VALUEWEB.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-04-03
Updated: 2000-11-28

TechHandle: CN313-ARIN
TechName: Network Administrator, CyberGate Network
TechPhone: +1-954-334-8080
TechEmail: netadm@valueweb.net

Re:The Spammers should be Sued

[afidel]

A substantial portion of the budget of my ISP both in time and capital is devoted these days to blocking and dealing with spam. I am personal friends with the owner of the ISP and he told me that the recent reduction in prices for dialup accounts would have been larger but he can't afford to do that due to the increased costs of dealing with spam, all of his other costs, from machinery to trunk lines, to BRI's have gone down, this is the only area of his business where costs are increasing.

Is he filing one?

[mdfst13]

You mention that Linford "has an excellent countersuit." I would agree, but I am unsure if you are claiming that he has already filed one or that he could file one.

I think that not only the defendants of the case should countersue but that those who use the SBL and those who are protected by the SBL should join the suit (as a class action) against the negative effects that could be caused by hindering Spamhaus's work. I also think that anyone who owns part of this corporation should be named as a defendant in the suit. Clearly the corporation is an attempt to hide the actual principals and protect the from liability. I'm not sure of the legal basis, but I think that that protection should be voided by their active participation.

Hopefully the discovery phase will dig up some of their actual illegal behavior (forging headers, hacking boxes to send email from them), so that the courts can prosecute them. It would be great if it could be proved that some of the product distributors who benefit from this advertising could be shown to have actively participated as well. Cut off the funding for spam.

Seriously, if some lawyer wanted to take this task on, I (and many others, I'm sure) would be happy to help with the preparation of requests for useful data and interpretation of the data once it is received. Just post a response here and I will be happy to post one of my spamcatcher accounts. Just give me an idea of what the email will look like so that I don't accidentally delete it with my spam...

I find this ironic...

[rainmanjag]

So part of the claim in the emarketersamerica suit is that the defendents are clearly disguising their identities through providing false information to their domain registrar (which the spamhaus people deny)...

Yet do a little whois on emarketersamerica.org :

Registrant ID:71-C
Registrant Name:SEE SPONSORING REGISTRAR
Registrant Street1:Whois Server:whois.register.com
Registrant Street2:Referral URL:www.register.com
Registrant City:N/A
Registrant Postal Code:N/A
Registrant Country:CA
Registrant Email:not@available.org
Admin ID:71-C
Admin Name:SEE SPONSORING REGISTRAR
Admin Street1:Whois Server:whois.register.com
Admin Street2:Referral URL:www.register.com
Admin City:N/A
Admin Postal Code:N/A
Admin Country:CA
Admin Email:not@available.org
Billing ID:71-C
Billing Name:SEE SPONSORING REGISTRAR
Billing Street1:Whois Server:whois.register.com
Billing Street2:Referral URL:www.register.com
Billing City:N/A
Billing Postal Code:N/A
Billing Country:CA
Billing Email:not@available.org
Tech ID:71-C
Tech Name:SEE SPONSORING REGISTRAR
Tech Street1:Whois Server:whois.register.com
Tech Street2:Referral URL:www.register.com
Tech City:N/A
Tech Postal Code:N/A
Tech Country:CA
Tech Email:not@available.org

-jag

Re:Not Pro-Spam, but....

[kaip]

65.59.224.128/25 could be blacklisted [by SPEWS], but I happen to know that they have quite a few hosting customers, most of who know nothing about the other customers.. Legitimately blacklisted?? - -

ORDB has my ex-girlfriend's mail server listed. She develops and hosts sites. No spamming at all.

Servers are added to ORDB (FAQ) after they have been tested to be open mail relays.

So most probably your girlfriend's server was an open mail relay. Since open relays are exactly what ORDB claims to list, the listing was most probably correct.

An open relay is incorrectly configured mail server. Rather than to complain about the ORDB listing you should be grateful that they pointed out the flaw in your configuration before it was exploited by a spammer (or was it?).

It is also important to understand that ORDB only provides information of open relays. The owners of the recipients' mail servers decide whether they want to filter out mail originating from open relays.

The same applies to other blocking lists, such as SPEWS. The listing criteria are clearly stated on the SPEWS web page. They explicitly state that they escalate listings, i.e. they may also list non-spamming client's of the spammers spammers ISP (see Q16 of the SPEWS FAQ). Given this information, it is up to the owner of the recipients' mail server to decide whether to filter mail using SPEWS.

You Forgot The Most Important Thing To Obtain!

[Steve+Cox]

It would be most important to obtain the complete list of email addresses they send to.

That way, the people who own the email addresses on the list can be asked if they had opted in (EMarkerters did state that they ran an opt-in scheme only...)

Steve.

Re:No. Re:IANAL...

[Tetsujin28]

Pleadings aren't made under oath, so nothing contained in them can be perjury. If you deliberately state facts you know to be false, however, you could run into civil liability for abuse of process.

Pleadings are signed by attorneys pursuant to Rule 11 under the Federal Rules of Civil Procedure, and similar rules in all state courts I'm familiar with. Rule 11 can leave an attorney open to some pretty nasty sanctions if he submits a pleading that includes misrepresentations of fact.

Re:Not Pro-Spam, but....

[JWSmythe]

Actually, phone calls *aren't* a good way to communicate with me.. I work odd hours.. Like yesterday, I worked from about 11am until 11pm at the office, and then until 6am at home..

If you called my office, you'd be listening to yourself talk to the answering machine. But if you dropped me an Email it would be answered quickly. Just like the guy who decided one of our primary domains was unused and he wanted to buy it off us.. I got back with him within a couple hours.

Likewise, if I needed to contact you, I know most offices won't answer between 6pm and 8am, unless it happens to be a spiffy-keen NOC. :) After sitting on hold for over an hour with both AOL and Time Warner/RoadRunner on individual cases, just to be told, "Sorry, we don't know anything about that" on abuse issues, I know it doesn't do much good to call the listed numbers. It also doesn't do much good for me to call Moscow at 4am their time. If I'm lucky, they'll see an English email come in, and run it through babelfish to read it.

We receive legal notes by Email all the time. Usually it's nothing significant, but answering them quickly is enough to keep us from getting sued.

Most of the blackhole problems we've encountered weren't directly with our networks.. Like I said, other networks very frequently get larger blocks blacklisted. What do I do? Go to my providers switch and start yanking out wires until I find the one that Mr. Relay is using? That'd go over really well, assuming I could even do it. Maybe I should call my provider, and ask for the physical address of the demarc for another block? ha.

If you don't like the fact that SPAM exists, I suggest you bring up a bigger issue with the USPS. I have a *SERIOUS* problem with junk mail. Consider the resources that are burnt up by that.. Besides the wasted fuel used by the mail trucks, and the time used to sort it, it wastes space in my box, and causes litter. After I moved recently, the post office never stopped delivering the junk mail to my house. An old neighbor called to ask if it was ok for him to throw it all away, because it was spilling into the street.

If we're to take the blackhole thing as a valid method for filtering, the USPS should adopt the same thing. If someone sends more than X pieces of unsolicited mail, just throw away all the mail from that zip code. If that isn't sufficent, the surrounding 3 zip codes too.. So what if your mail doesn't go out, at least you've stopped the junk mail.

I'm definately going to suggest it to the US Legal system. To make a point that you shouldn't commit crimes, every time there is a death penalty conviction, they should kill the next two defendants too. Who cares if they did anything relating to the matter, right?

Ok, that was a stretch, but I hope you see where I was going with it.. You're blocking innocent networks with poorly designed arbitrary rules. Well, the blacklist mantainers cover their asses by saying "we only make the liste, we don't tell you how to use it." But Joe ISP admin doesn't think about that. He takes your stance of "This is cool, I can stop a bunch of mail."