Slashdot Mirror
Perspectives on Spamhaus's Dilemma
The Illinois court that told Spamhaus to stop blocking the spammer filing suit against them — an order which Spamhaus ignored — is now considering ordering ICANN to pull Spamhaus's domain records. While Gadi Evron, whose blog posting is linked above, urges everyone to beat the judge with a clue stick, a guest writer on his blog counsels much greater restraint. Anti-spam lawyer Matthew Prince explains how Spamhaus got into its current pickle — apparently by following conflicting legal advice at two points in the process — and what they might have to do to get out. One spamfighter of my acquaintance says that Spamhaus's SBL and XBL blocklists knock out 75% of the spam at his servers before it hits and requires more CPU-intensive filtering. If ICANN is ordered to unplug Spamhaus from the DNS, and does so, is the Net prepared to deal with a 4-fold increase in spam hitting MTAs overnight?
Yeah, I know it's just fiction but it seems like this could be the same kind of thing.
Excerpt from the movie:
Dr. Ray Stantz: Everything was fine with our system until the power grid was shut off by dickless here.
Walter Peck: They caused an explosion!
Mayor: Is this true?
Dr. Peter Venkman: Yes it's true.
[pause]
Dr. Peter Venkman: This man has no dick.
Walter Peck: Jeez!
[Charges at Venkman]
Mayor: Break it up! Hey, break this up! Break it up!
Walter Peck: All right, all right, all right!
Dr. Peter Venkman: Well, that's what I heard!
I think the problem that the Ghostbusters faced in the movie was that the guy from the EPA was a prick and didn't bother doing any follow up or open a channel of communication with the Ghostbusters. Now, Spamhaus might be violating rules at the same time they provide the public a valuable service. Has the United State's judicial system attempted any lines of communication with them aside from a cease-and-desist letter threatening them with $11.7 million?
Where does it say that e360insight is a spammer? I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business. I think that's important. If e360insight is a spammer, I'm siding with Spamhaus. Since they have taken the roll of deciding who is spamming and who isn't, I think they could use more accountability than what I find indicated on their website.
My work here is dung.
On the plus side, that might convince the judge to rethink the order.
what pisses me off about this whole situation is that using the Spamhaus RBL is OPTIONAL, and initiated by the receiving servers. Nobody said you HAVE to use Spamhaus, people CHOOSE to.
Damn, judges really should be expected to have a clue when sitting in on a case...
I imagine that ICANN will say "Uh...no" if they actually do get that court order. I mean, ICANN is kind of evil, but I guarantee they hate spammers AT LEAST as much as everyone else.
Can ICANN even pull a second level domain? .org is managed by Public Interest Registry. One would imagine all ICANN could do would be to put a halt on the org TLD...
If I've ever heard a compelling argument for an independent ICANN, this is it!
Um... you are aware of how Spamhaus's list is distributed, right?
You convert the IP address of the server you're trying to check into a host name, such as W.X.Y.Z.sbl.spamhaus.org, then do a DNS lookup on that hostname. The result you get indicates whether the original IP is liste or not.
Trust me, you don't want to put 4 billion records in your hosts file!
If you use cotton swabs, and I'm hoping that you do, then take a moment to read the package. It clearly states that they are not to be put into your ear, despite the fact that plainly that's the use that 90% of consumers make of them. This is plainly because of liability issues which arise from people who can't seem to figure out how far to stick them in their ear. Perhaps Spamhaus could adopt a similar defense by distributing the list with the explicit instructions that it is not intended to be used to block spam, especially in the U.S. and uber-especially in the region where this judge has authority. Just a thought, seems at least as effective as holding your ears and screaming "LA-LA-LA-LA" everytime the court tries to tell you what to do.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Is this perhaps why there was pressure to separate the US government from ICANN? Maybe now we can see why.
US court
US spammer
UK RBL
--- Commission free trading & free stock up to $500 - use http://share.robinhood.com/kelvinp6
So go ahead and pull their domain from the DNS hierarchy.
/etc/named.conf
# cat >>
zone "spamhaus.org" in {
type forward;
forwarders {216.168.28.44; 204.69.234.1; 204.74.101.1; 204.152.184.186; };
};
^D
# pkill -HUP named
All fixed!!
"I feel that if a person can't communicate, the very least he can do is to shut up." -- Tom Lehrer
According to the article by the John Marshall Law School lawyer, the problem is not that Spamhaus ignored the initial TRO. The problem is that they didn't. They appeared in state court and asked that the case be moved to Federal Court, which it was. By doing so, they implicitly agreed that the Federal Court had jurisdiction.
Then they claimed it didn't.
I can't think of anything more likely to P.O. a judge than to ask to get into his courtroom, then call him a buffoon.
In the end, as the article says, ICANN may be forced to pull 'spamhaus.org', but ISPs that use it are savvy enough to move to using 'spamhaus.or.uk' or something similar, outside the court's control. But the individuals affected by the order may be unable to set foot in the U.S. for the rest of their lives, even to change planes.
Also, we can express our concerns directly to them at http://www.e360insight.com/contact.php. They were nice enough to have a comment submission form. I hope they have a lot of disk space for submitted comments.
In the land of the blind, the one-eyed man is usually crucified.
Spamhaus method of fighting spam dont stops 3/4 of the spam of the world. Probably graylists, bayesian analisys, and other methods stops far more.
You obviously don't run a mail server with > 1 user. The sbl-xbl list stops ~ 80% of our spam. That's for a small email service provider, defending only about 75 million email addresses.
Bayesian doesn't stop spam. It just flags stuff as possible spam. Humans are worse filters than any software. If you have to look for false positives in a spam folder, don't even bother to filter stuff. That is just a waste of CPU cycles.
On the smaller servers I run, recipient validation handles ~ 50% of the spam, the sbl-xbl stops ~ 80% of the rest, dynamic IP blocks and hostname checks stop the remaining.
I can throw myself at the ground, and miss.
A reckless decision by this judge to crap on the internet over an uncontested U.S. based trial will be a huge motivation to wrest DNS control from U.S. control/jurisdiction.
.us domain to play with and left the rest to people who understand how serious this stuff really is.
If U.S. judges think they have carte blanche to impose their laws on foreign entities using domain listing as a weapon then we absolutely MUST get DNS control the heck out of U.S. control, i don't care what DARPA thinks they invented decades ago. The status quo currently is bad enough as it is, but if one person in a robe is going to single handedly eliminate the backbone of the international anti-spam war when the service is based in a foreign country, run by non-U.S. citizens and it's a voluntary subscription service then something drastic needs to be done.
The notion that the U.S. can 'summon' foreigners to defend themselves in U.S. domestic courts is deeply flawed to begin with. It's just amazing that anyone can mock the Chinese for their 'great firewall' when the U.S. is prepared to yank a site from the ENTIRE WORLD, and think they can just because it's domain name is published on a U.S. machine when that is mandated by an historical quirk.
Is it time we gave the United States their little
Hell, NO!
You would be trying to use their DNS server as a recursive resolver. DON'T do that! It wouldn't work and you'd be an annoyance to them.
I suggest you read about DNS before doing things of which you don't understand the impact.
What could work is running BIND and doing something along the lines of
zone "spamhaus.org" {
type forward;
forwarders <their ip address>;
};
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
I'm amazed at the knee-jerk reaction of so many people here. I hate spam as much as the next person, but claiming that the judge is ignorant, stupid, or malicious is ridiculous. The fact is, Spamhaus responded to the suit in the most inappropriate way imaginable, by acknowledging the federal court's jurisdiction and thereafter ignoring it. If you get a traffic ticket, even if it is unwarranted, what would you expect to happen if you turn up in court, then walk out and refuse to communicate any further with the court? What Spamhaus has done is the equivalent, only federal judges have a LOT more power. Spamhaus should either have challenged the court's jurisdiction from the outset or, having accepted it, complied with its orders and defended the suit.
Other than Spamhaus trying to correct the situation, I wonder if third parties might be able to submit an amicus brief to the court along the lines of: "Yes, Spamhaus behaved liked idiots, but cutting them off is not in the public interest.":
Lets look at the facts:
1. Spamhaus isn't in Illinois
2. Spamhaus isn't even in the US, no business presence on US territory at all.
3. Spamhaus only connection to the US is US companies utilize the service.
Based on that Illinois can only go after companies that use the database, not the provider overseas. They don't market or have any presence in the US. The court likely could go after these companies. Will they?
Now what I'd love to see is Illinois try and go after everyone in the US using the database... go ahead and try. I'll keep using it because it's a good effective database.
I've got a feeling there's money behind this ruling. It just sounds to fishy to be legitimate.
Reconfigure your MTAs NOW.
- Use IP numbers or
- host a domain resolution for spamhaus in a local name server and configure your MTA to hit that first. (Have your nameserver serve as an unofficial secondary pointing to their primaries, and squirrel a dump of their name service just in case the court gets their primaries shut down.)
Then ICANN can pull the record and it won't do squat.
For your convenience (from nslookup):
> server 204.74.101.1
Default Server: udns2.ultradns.net
Address: 204.74.101.1
> set type=soa
> spamhaus.org
Server: udns2.ultradns.net
Address: 204.74.101.1
spamhaus.org
origin = need.to.know.only
mail addr = hostmaster.spamhaus.org
serial = 2006100802
refresh = 3600 (1H)
retry = 600 (10M)
expire = 2419200 (4W)
minimum ttl = 3600 (1H)
spamhaus.org nameserver = udns2.ultradns.net
spamhaus.org nameserver = udns1.ultradns.net
spamhaus.org nameserver = ns8.spamhaus.org
spamhaus.org nameserver = hq-ns.oarc.isc.org
ns8.spamhaus.org internet address = 216.168.28.44
(I'm presuming that the spamhaus.org domain contains the
servers in question. But if not, perhaps someone who
actually administers an MTA using their services can
follow up with the necessary info.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
92K messages in a maillog file? Over what time period? Is that a toy server?
My current estimates say that $ORK is blocking ~ 400 to 500 million messages a day using DNSBLs, about 80% of which is the sbl-xbl.
I can throw myself at the ground, and miss.
Let me put an alternative perspective to the AC e-mail security guy who wrote the parent post.
I am the IT officer for a local non-profit organisation, with a few thousand members. We run a mailing list, to provide announcements to those members. The list is opt-in (double opt-in to verify all addresses, in fact) and moderated, and everyone on it has explicitly asked to be there.
Our service provider has recently sent a notice to their announcements list (to which I subscribe) indicating that certain major names, including Hotmail and AOL, are no longer accepting mail from our provider. They don't even bounce it properly; they silently drop it. This is all done in the name of fighting spam, so they claim, because our service provider forwards a lot of spam onto them. (Our service provider forwards any mail received at a paying customer's address to any forwarding address requested by that customer, in fact.) The content of any given mail, and the specific people it's going from and to, are irrelevant to this blanket ban.
As a consequence of this, we now find that some of our members who use e-mail accounts at those hosts are not receiving mails they have explicitly asked for. Neither we, nor our members, nor our service provider is doing anything unreasonable. The only reason this system is broken is because of an arbitrary decision by a big name provider to throw their weight around, by blocking all incoming mail from a small provider (who are not the only ones being hit by this problem -- far from it, by the sounds of things), even if this goes against the explicit wishes of one of their own paying customers.
Now, you can rationalise that decision all you like as a big IT honcho, but the simple fact is that these organisations are screwing their own customers, and ultimately undermining the entire working of the Internet e-mail system, by being incompetent and not playing nice with others. Sooner or later, people are going to start missing really important messages as opposed to just convenient or entertaining ones, and those providers are going to learn a harsh lesson. I imagine a few small providers will start bringing anti-competition lawsuits if the big names carry on down their current road as well. But in the meantime, your approach sucks for your customers, it sucks for people working with your customers, and it sucks for other service providers working with you. It is an indefensible attack on the openness of the Internet, and you deserve to be shot down for it.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.