Slashdot Mirror
AOL Sued For Over-Zealous Blocking
mik writes "America Online
has been sued by CI Host,
a Texas-based hosting company for defamation, interference with
contractual rights and unfair competition. CI Host
has been
awarded a temporary restraining order, though AOL has apparently not complied.
This may be the first such in a series of suits leading up to, perhaps, to class-action status relating to AOL's recent zealotry in
anti-spam policy
resulting in the presumption that shared-hosting providers are guilty (of spamming)
unless proven innocent."
I manage the web and email account for the church I attend. The pastor has an aol account, so his e-mail from our server simply redirects to his aol account. Just last week, I found that we had been put on aol's blocklist for some reason - all e-mails being redirected through the server to aol were being blocked for 2 weeks by aol. Blocking messages like this results in missed personal communication. This could possibly result in lawsuits from consumers themselves.
And I'm going to enjoy watching.
CI Host is a lousy company. I had nothing but trouble with them when I was hosting there. They continued to charge me after I cancelled my account, they refused to issue refunds in a timely manner. I very nearly took them to court over it. CI Host has spammers as customers. I told them about a few that were causing problems for me, and they never did anything about them. Doesnt' surprise me, because their customer support is poor, bordering on non-existant.
AOL is going to turn around and clean them out in court, and I'm going to thoroughly enjoy it. All they have to do is point to a few CI Host customers that spam, and that CI Host has been notified of several times, and it will either be a wash (in which case, AOL wins because they can stand the legal fees better than CI Host), or AOL will be able to counter-sue without a problem and make CI Host feel the hurt. Either way, I say yay AOL, which is something that I don't often say.
-Todd
"The details of my life are quite inconsequential..."
I personally think it is good that someone is trying to block spam. Now if they could validate forged headers.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Been with CI Host for awhile, pretty good network, really like the price too.
Also, AOL/RR is blocking email from my office (Sprint SHDSL, fiber optic DSL, faster than T1, business only stuff in case you weren't aware). Ever since I got the first bounced message AOL has been #1 on my shit list.
Bravo, CI Host, Bravo.
I don't recall there being anything that says an ISP has to accept email from someone. It seems more like the accepted business idea of reserving the right to refuse service to anyone.
AOL are a bit zealos with their blocking. Worse there is no apparent (from what we could see) removal process or information on *why* you were blocked.
/19.... we can play this game for a while.
I maintain a few mail server that a number of customers of ours use to send out mail. We have a non-spam TOS and we check up on our customers. We got blocked. We went on to complain to a mass of different addresses. We got a two replys a few days later, the most notable was one from an address that didn't exsist (at aol.com) scolding us for not providing information that we had actually provided in our barrage. The other was just as worthless (telling us to read the usless help) though a reply to it didn't bounce.
Then as mysteriously as we went on the RBL we came off it again. To this day we are still cluless as to how we got on this RBL or how we got off it.
Worse though is Excite. There RBL is entirly hidden. No URLs, no help, no reasons, no nothing. We have had NO reply to our barrage of mails after a week and a bit. We even opened an account and complained as a customer. So we have taken to re-assigning our SMTP sender's IP address. I'm sure they will block that too, but we have a
Maybe I should see if we can sue Excite....
>
I am on a small ip block, with losers that catch the latest winshit worm and start spamming every few weeks.
Because of this, AOL has blocked my mailserver despite 7 requests to whitelist it (3 from myself, 4 from AOL victims^H^H^H^H^H^H^Hconsumers). It gets whitelisted for a few days, then group punishment kicks in and it's blacklisted again.
I have never spammed, I never intend to spam. Getting accused of sending half a billion unrequested emails in half an hour from a upstream as small as mine is both hilarious and insulting.
Fighting spam is one thing, blanket bombing to prevent spam is quite another. If anyone at the evil empire's apprentice is reading, "Hope you're glad that my dad left you because of your stunts. See you in court."
You can't judge a book by the way it wears its hair.
I like AOL's inability to read email about how they are blocking legitimate emails from people. One of the things AOL is doing is blocking anyone with a Business Class DSL line from SBC and runs their own mail server and calling them residential or telling them that they need to use AOL's servers. I changed some of the email addresses so you could see an actual dialogue between me and AOL's abuse group. I have more, but those would just make you laugh. You should have heard the phone calls.
>I would like to be able to receive email
-----Original Message-----
From: Road Runner Security [WMH] [mailto:spamblock@security.rr.com]
Sent: Friday, August 22, 2003 11:39 AM
To: blah
Subject: Re: Blocked domain
Hell,
You must use RR's SMTP server from your residential account.
RR Security
At 06:35 PM 8/21/2003 -0500, you wrote:
>I am trying to receive email from a doctor using the following domain blah.com and the mail is being
>bounced back to them. Every time they send email to me they receive a
>message saying:
>
>The following recipient(s) could not be reached:
>
> 'me@austin.rr.com' on 8/20/2003 11:50 AM
>
> You do not have permission to send to this recipient. For
> assistance, contact your system administrator.
>
> rr.com_Residential_Range - See
> http://security.rr.com/residential.htm>
>
>
>
>from them and would appreciate it if you would lift their name from your
>blacklist. I seriously doubt an doctor's office is going to
>be spamming anytime and they do have a business need to email Road Runner
>users.
>
>
>
>
>
>Thanks,
>
>
>
>me
patience is a virtue... anger is a gift
I mean really, this could easily be levied against anyone blocking spam in that case. If its their servers and their bandwidth and you're violating their terms of service, I don't see why they HAVE to deliver email or anything else. Heck MSN is effectively blocking linux with the way they respond to search results through their search engines and you couldn't bring a court case against them about that. If CI Host (which really DOES suck and consists of mostly spam and porn hosts)) can't contain their customers - why would AOL be liable if they choose to protect their systems? Last I heard the laws about Cybertresspass (the very laws AOL used to sue spammers - denial of chattel) were in AOL's favor - not CI Hosts'.
Honestly guys.. I worked as an Assistant Administrator for an ISP in Michigan. AOL's block list is not that bad. I had a very aggressive list of spam. We actively sent letters to our users telling them to forward us spam, and if legit spam, we added the address to our spam filter. The ONLY ISP that ever affected us by blocking us, was MSN, when MSN.com and Hotmail.com blocked our ISP when their software was messing up. We got our domain unblocked and everything was fine. I support Aggressive blocklists.
AOL blocks sites with SMTP banner, that doesnt match
RDNS. Its likely the cause of the block.
$ telnet 63.249.159.33 25
Trying 63.249.159.33...
Connected to cihost.com.
Escape character is '^]'.
220 cassiopeia.propagation.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Aug 2003 20:05:09 -0500
I hope they win this one. First of all, CI Host are a bunch of f$cking spambags. Second of all, it'll be a dark day when a court forces someone to carry unwanted traffic. AOL owns their own network. AOL can decide who they want or don't want to accept mail from, for whatever reason AOL wants. If AOL customers don't like AOL's decision, they'll leave, and AOL will lose in the market. Oddly enough, only spammers seem to have any trouble grasping the fact that a network owner can restrict what flows over said network for any reason at all.
Free advice to CI Host: Your legal action has just landed you permanently on hundreds of private blocklists. I know of at least 5. You and your customers now going to have a lot more trouble getting your mail deliverd to many more places than AOL. Find a new line of work because no netblock you are associated with will ever be useful for email, which you indicate to be your main line of business in your lawsuit. Cut your losses and get off the net now. Sell your equipment on eBay. Sell your netblocks back to ARIN. Do something productive. You'll be happier if you avoid the world of frustration you just entered. Just unplug instead.
.sig: file not found
There are substantial disadvantages to a client-side filtering only spam defense as opposed to a server-side blocking only defense. It is, of course, fully possible to use both; I merely wish to point out some factors you may not have considered.
For the definitions of "filtering" and "blocking", please see this Wikipedia article. Roughly, DNSBLs and Sendmail's milter feature are blocking tools -- they take effect during the SMTP transaction. Client-side tools are filtering tools -- they take effect when you check your mail.
Consider:
However, as I mentioned above, it is possible to combine blocking and filtering in useful ways. A mixed strategy is what I prefer for my own site: we use a number of blocking strategies (such as DNSBLs and regular-expression patterns matching common spam elements), but we also use SpamAssassin and encourage users to filter with its scores or other criteria.
There are several separable issues here.
The first thing to notice is that our only information on this dispute comes from a press release put out by CI-host. I find it somewhat surprising to see it alleged that AOL is in contempt of court. On the other hand one wonders how a judgement from a Texas court affects AOL off in Loudoun county VA. I suspect the AOL/Time lawyers may have a different opinion.
Another thing missing from the report is any mention of the reply filled by AOL? Was AOL even aware of the hearing? In most cases a court order does not have immediate effect, thus allowing the defendant to file an appeal. It seems unlikely that a court would issue an order with immediate effect given that AOL has had considerable success in preventing spammers gaining orders of this type in the past.
Another suspicious factor is the rapid escalation to littigation. A legitimate ISP would be unlikely to sue until it was clear that AOL was not going to be reasonable - unless of course they knew AOL was being reasonable.
At this point it is reasonably settled law that an ISP cannot be forced to accept email from an address that it does not want to service. The defamation claims might work against a third party such as a blacklist but it is hard to see how a company can be prohibited from acting on its own assesment of CI's behavior.
The other thing that is odd here is that Sudereth is a recent President of the American Judges Association. You would not expect a judge in that situation to be making whacky judgements which suggests strongly that there is something here that we are not being told in the CI PR puff. It is very rare for a court to order an injunction with immediate effect unless the damage done is irreversible. In this case the effect is very obviously only money.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Its their servers and if you still kept the person on your server ( as a customer ) after the the first day of the abuse ( says you took 1 week to notice; that's far too long to notice an abuse ). Did you not read your Abuse@ when the first spam message was reported? Why'd it take you so long to act?
A spam run doesn't just happen for a week long without going unnoticed. Your server logs would have shown the unusual amt of traffic being sent from your space.
Just playing devi's advocate. Again, AOL can run their servers as they like. Dont like it? Set up a smart-host so you can send attachment from that ip unti lits resolved.
Oh and is that customer still with you? The one that spammed? Why not collect damage fees from them?
I know it's supposed to be easy to forge a "from" address in the header of an e-mail. This is a favorite spammer trick.
Would one of you folks enlighten me on whether it's possible to easily forge or otherwise disguise a "bcc" or other portion of the "to" section?
I operate a website (hosted by a third party provider) that's been hammered this past week by someone who vainly hopes to exploit Formmail. He takes an unseemly interest in the cgi-bin and cgi-sys directories and is cheeky enough to blind-copy an e-mail address at AOL with the results.
He won't get anywhere because I haven't got Formmail installed, but he is as aggravating as hell, and not a little scary.
AOL's attitude is that if he is indeed one of their subscribers, he's entitled to their protection, and they won't lift a finger no matter what he's doing or who he's injuring. In other words, if you've got a commercial site and it's third-party hosted, you're fair game for any of their bad kids who wish to harm you, forge your domain name, or whatever, under the guise and protection of AOL. I was told this at about 5:30 p.m. today by one of their "customer service" representatives.
Before I talked to them, I was primarily annoyed. Now I'm really angry. I'd like to enhance my knowledge about this as I consider what to do. Knowledge is power; it's just sometimes difficult to acquire adequate knowledge while you've got so much else to do.
Thanks!
Anne
DUCT TAPE: The Election Supervisors' Secret Weapon
Are the people here who say that AOL has the right to do what they like with their own network the same people oppsed to telcom deregulation? If so, you're a hypocrite.
The FTC brought an antitrust complaint against a company (can't remember which one at the moment) in the 70's (I think). In that case, the target company had around 65% of the market, and it was ruled that that was insuffecient to be a monopoly. In this case, I don't think AOL has anywhere near 65%. 30 million customers (what AOL claims to have, but they were recently accused of inflating that) is small compared to the number of ISP subscribers; laughably so to be called a monopoly
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
One of our TD guys posted the following:
We just finished a conversation with staff from AOL's postmaster team. We have an agreement, but it may or may not be satisfactory to users.
First, let me say what they are doing. They have a button on their mail software that lets users report email as spam. They check to see the host
from which AOL got the mail, i.e. the previous hop. In principle, if they get a significant number of complaints for any given host, they refuse to accept mail from it. In practice, there is sometimes human review, although they don't guarantee to do that. In practice, they will often alert abuse@rutgers.edu before cutting off mail, although they don't promise to do that either. They will, however, allow us to give them a list of our major MTA's, and exempt that list. What we believe they will do reliably is notify us after the fact when they have cut an IP address off. We will dispatch those reports to the liaison.
They should have most of the major MTA's by now. However we don't have a complete list of all MTA's on campus, so it is certainly possible that in
the future some might be cut off. If that happens, we will find out about it after the fact. In some cases, the abuse staff may recognize it as an
MTA, and ask them to add it to the list. However we won't always know the way departments use systems, and thus cases might occur where we would have to depend upon responses from the system administrator.
Note that in principle they could remove systems that send announcements to the user community, if users report the messages from the President or
other official email as spam. They regard the customers as right, and accept their definition of spam. In practice, that system will be on the
list of MTA's. For the moment they look OK.
There are some systems that were on earlier lists that we have been unable to understand. In one case we verified that they had no forwarding entries pointing to AOL. The system itself is not an open relay, and being Solaris, would not have been contaminated by Sobig. In the discussion today, it didn't seem possible to develop an understanding of what had led to these systems being considered problematical. However those systems are MTA's, and should not be cut off in the future.
They have offered to send us all email from any Rutgers host that users report as spam, so we can review it and try to forestall any problems.
Since this is in the thousands per day during periods when problems are occuring, we are not currently taking them up on this. In the opinion of our staff, if AOL can't afford the staff time to do intelligent review of their own users' reports, we can't do that job for them.
In this situation, I recommend that no system administrator use AOL for email, since we need to make sure we can contact sysadmins no matter what
decisions AOL might have made. Other uses with critical need for mail connectivity might want to do the same. Also, it might be useful for users
to understand that they should be careful about reporting as spam mail that comes through Rutgers.
-- Is "Sig" copyrighted by www.sig.com?
Advertisers or spammers, these morons ignore the fact that NO ONE is obligated to carry their traffic it there is a reason to believe that it is not legit.
I drop that kind of traffic on the floor. They're welcome to TRY to collect. I guarantee they won't like my legal retalliation..
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
I have a personal blog domain that I use to keep my family and friends updated about my life. Since I have moved alot it has been a great way of keeping open the lines of communication. However, recently, AOL has stopped letting my updates reach my 2 Aunts in Mass. And it is pretty annoying. I appreciate the fact that AOL is trying to cut down on SPAM - but damn! Gimme a break - let me SPAM their server first before they ban my domain. I only send about 2 emails a month (one to each aunt) to their servers.. Seems like AOL spent more effort blocking me than I did emailing their pop servers.
Now we just need to put together some kind of class action suit for them spamming my regular mailbox with those damn CDs
I actually called them and asked to be removed from their mailing list and they told me that it wasn't possible because they send the CDs at random. That is, they just pick a few hundred thousand fucking addresses and then spam them with CDs. So I told the representative to whom I was speaking (after I told her that I was not angry with her) what I would do about it.
Basically, anytime I see a stack of AOL CDs at a supermarket or restaurant, I pick the whole damn thing up and put it in the nearest garbage can.
Fuck them.
Oh... and print up some "return to sender" labels and take them to the mail box with you every day. I put them on all postal spam and send it back before I even get it into my house. Junk mail is down about 75% after 6 months or so.
Good luck!
Life is the leading cause of death in America.
Gotta love how I can't send e-mail from one Time-Warner company to another....
I guess an example of the left hand breaking a few fingers on the right.
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
Historically, AOL has viewed itself as an entertainment company. The AOL muckity mucks cared about the big business deals, the marketing drive that will change the world, etc. The media mogul in Barton Fink is an example of the style of executive that ran the show during the height of the dot.com bubble.
But AOL Email Operations was just another overworked technical dept. The email application didn't bring in any revenue directly. Also, it was an overhead application that couldn't be cleanly assigned into one of the Balkanized divisions at AOL. For years, it had little marketing and little development effort applied to it. Buying Netscape for $4 billion dollars got lots of attention, upgrading the pre-internet AOL email infrastructure didn't.
The top level AOL exec's heard about spam complaints, but they heard lots of complaints about lots of things. Nothing was catching on fire and exploding in email so they assumed it must not have been that bad.
Another reason why AOL business exec's tended to ignore the techies. Keep in mind that hardcore techies had spent years vehemently ragging on AOL. Inspite of that, AOL became a major business success (well, at least for a few years). So whenever an internet purist gave a lecture on how things were supposed to be done, it triggered a gut level hostile response with many exec's at AOL.
So the result of all of this is, for the past several years, there were only background projects for fighting spam (and handling ISP complaints). Current problems are a result of that legacy.
But I think things might be changing. Remember AOL tried to takeover Time Warner? Well Time Warner has essentially staged a reverse coup and kicked out all the "deal junkies" at AOL. I think the Time Warner folks are pushing a much more back to basics approach for business deals, financial accounting, and for the AOL online service.
The upcoming AOL 9.0 release is supposed to be a lot better at spam fighting (although I haven't tried it much yet).
I hope that the new exec's really are making spam fighting a strategic priority (which I think they might be). If so, you should see real results in a year or two. Including, hopefully, a lot less false positives for spam (where positive really means negative delivery of mail, whatever) and much higher levels of support for email delivery complaints.
Ben in DC
"It's the mark of an educated mind to be moved by statistics" Oscar Wilde
My mom, using Earthlink, has been unable for 4 days to email her business partner. Which is wasting her time. Preventing her from getting work done.
The thing to realize here is that, while punishing an ISP may or may not be a good thing, harming *tens of thousands* of innocent users of that ISP (and Earthlink is a good one, IMHO) is incredibly irresponsible.
The bounce email said basically "Go whine to your ISP" which was, frankly, insulting. Never having been a fan of AOL, I'm not really surprised by this, but I can tell you it's caused her business partner to drop his account damn quick. Hope other AOL customers are doing the same.
Email is critical infrastructure. It's a public communication medium just like telephone lines are. How would you like it if all Bell South customers couldn't call you because your regional Baby Bell didn't like dealing with all the telemarketing coming in from Atlanta?
At a certain point, services become too valuable to play this kind of game with. I think email has passed that threshhold long ago.
Looking for a Rails developer in Chapel Hill?
All I know is that CI Host is a worthless hate spreading worm garden. My host, OC Hosting (ochosting.com), bless their souls they are such wonderfull people to be a client of, has had trouble with CI Host in the past.
About a year ago when OC Hosting pulled out of renting space at CI's data centers, CI told them that they couldn't get in the building even to take their machines out without signing a year contract for the space they used. Because of this I (foreverdreaming.net) and other OC customers could not get our files because CI was holding the servers.
After this I have had a constantly living anamosity for CI that ignighted like a torch when I read this article. I hope AOL wins and finds a way to file a counter-claim and hopefully wipe the worthless hate spreading scum that is CI off the face of this beautiful planet.
haha - for a year I've hated you and now I get a chance to express it in public forum, yay!
The problem is that it's other people deciding what data comes through.
For instance, LiveJournal. Users have found that AOL is blocking HTTP requests through REFERRERs too . Nothing like having a Journal, and then putting a link to your AOL homepage (AOL Journal, etc) on your LJ profile, only to have people blocked when trying to click through (to see it in action, and you don't have referers disabled, go to fadedsanity's profile and click on the website link "p r i n c e s s". You'll get a 404. Now alter the URL (or whatever you have to do to clear the referrer) and reload the page... it works!). Sure, it's understandable to prevent image embedding (though they appear to only be doing it selectively, like with www.livejournal.com, but not ziemkowski.livejournal.com for instance), but hypertext links as well? That's just too much!
The annoying issue is that this will undoubtedly lead to hacks (or even features) to stop sending referers, which will affect website statistics, etc.
Why should the above AOL subscriber not be able to link to her own site? Because other users have marked LiveJournal.com emails as spam? So it isn't just third parties than can be upset; she should be, anybody who wants to access her site through her journal should be, and the third party (LJ) should be.
Wouldn't it have been a lot less problematic to add a custom bayesian filtering system with spam ratings, that runs on the subscriber's system? I'm sure AOL could have designed an interface and methodology for such a system that would be extremely straightforward to users yet much more effective, all without relying on one subscriber to know what another subscriber thinks of another person's messages? Heck, they could have advertised that they have "Smart" email filtering, yadda yadda yadda.
You'd think that a company that has acquired sources of programming creativity like Netscape and WinAmp, would be able to meet the interests of their subscribers and investors much better than they have with this.
How much longer until AOL blocks referers from slashdot?
The Rutgers central systems are in the process of moving antivirus processing from "appliances" made by a major AV vendor to our own Linux systems using Amavis. Amavis is smart enough not to send notifications to users in response to Sobig. The appliances do not appear to have an option to disable this. The move isn't quite finished, but the high-volume systems should now be on Amavis. That change is quite recent.
Yikes. So this is what has become of the anti-spam movement. You sound like blind jealous jack-booted nazi thugs to me. I hate spam as much as the next person, but with a little work you can minimize it with Spamassassin and its brethren. It should be up to the end-user to decide whether they want to receive spam, not the common carrier.