One Last Spamhaus Warning Before The End

kog777 writes to mention that Spamhaus has released a final warning about an increase in junk email, as they prepare to lose their domain to an Illinois court ruling. From the article: "According to Spamhaus, more than 650 million Internet users - including those at the White House, the U.S. Army and the European Parliament - benefit from Spamhaus' 'blacklist' of spammers that helps identify which messages to block, send to a 'junk' folder or accept. Losing the domain name would make it more difficult for service providers and others to obtain the lists. 'If the domain got suspended, it would be an enormous hit for the Net,' said Steve Linford, Spamhaus' chief executive officer. 'It would create an enormous amount of damage on the Internet.'"

So...get a new domain?

[Kadin2048]

What's stopping them from getting a domain name in a non-US-controlled TLD?

I don't see how a US court ruling could shut down a domain name in another country's TLD; so why don't they just go and get a name in the UK, or Switzerland, or Sealand.

Somehow I think enough people find Spamhaus useful, that if they asked they could probably take up collection and get enough money to afford a new domain, and right now they have enough press coverage to ensure that it would be publicized. Sure, it would be a PITA for a lot of mailserver admins who would need to change the address, but that's still a lot less work than filtering their spam by hand.

It sounds like Spamhaus is getting ready to 'cut off their nose to spite their face,' or in this case, destroy themselves in order to try and prove some point to a Federal Court in the US that couldn't give a damn one way or the other. If they're trying to make a point, this isn't the way to do it.

Re:So...get a new domain?

[MoralHazard]

What's stopping them from getting a domain name in a non-US-controlled TLD?

I don't see how a US court ruling could shut down a domain name in another country's TLD; so why don't they just go and get a name in the UK, or Switzerland, or Sealand.

You're not the only person to make this mistake. The judge's order to pull the SOA for SpamHaus's domain has NOTHING TO DO with whether the TLD is .com, .uk, .de, or .mil. It doesn't matter where the domain is registered.

How can this be? Well, SpamHaus is subject to the jurisdiction of a U.S. court. Once a court (any court, not just American) decides that you're subject to its jurisdiction, it can issue an order compelling you to do whatever it wants. It can also issue a court order compelling a 3rd party (in this case, the domain registrar) to take some action in regards to you. It doesn't matter whether one party in the lawsuit, or the 3rd party who isn't involved in the suit, is actually resident in the U.S.

Enforcement of a court order is a slightly different issue. It may be very, very difficult to enforce the order of a U.S. court in a foreign country. It's easy enough in the U.S. because the court can hold the non-compliant party in contempt (and enact fines, jail time, etc.), but these mechanisms don't automatically work overseas. Some countries, under some circumstances, will honor civil court orders from other nations, but usually you would have to sue in the foreign country's courts to effect any action on the part of a foreign body.

An important exception to the above is that many entities have assets or physical presence in multiple countries. If (hypotheticallly) the German arm of Register.com operated the .de TLD, a U.S. court could fine the U.S. company, order their CEO to jail, or do whatever else it thought necessary in order to force the German part of the company to comply with its orders. The judge might even order a German executive (residing in Germany) to jail for contempt, and when the German doesn't comply, issue an arrest warrant for the German. While German authorities will probably not be willing to act on that warrant (extradition treaties don't normally extend that far), it will be awfully hard for the German executive to travel in the U.S. with an outstanding warrant.

In short, the Illinois court made a STUPID FUCKING BONEHEADED decision, and the judge or jury should probably be removed and caned, but it is certainly procedurally possible for them to hassle SpamHaus regardless of where you register the domain name.

Re:Shoulda seen this coming...

[doctor_nation]

The #1 reason they didn't defend themselves is because they are a UK company and not under US jurisdiction. The #2 reason is that if they were to spend the money to defend themselves, they would open a precedent for any other spammer to sue them the same way. I think it's perfectly reasonable for a foreign company to ignore a US court order in this case. A US court can't order a spammer in Russia to stop spamming, so why should they be able to order a spam-blocker to stop blocking spam? The whole internation commerce thing is pretty fuzzy to me, so I don't really understand what a US court CAN do to a foreign company that sells its services to a US company.

Re: The IP Address

[Jaseoldboss]

They could also get a .de name. Something beyond the jurisdiction of a US. Court.

Why would they want to do that? From the article;

Executives at the U.K.-based Spamhaus Project...

Minor nit-pick.

[khasim]

They blocked an entire C class belonging to XO with the response that if you were "Stupid enough to use XO" it was your "own fault."

Spamhaus does not "block" anything. All they do is list the addresses that meet their criteria for listing (yeah, I know that's redundant).

Mail admins can choose to reference that list (or not) and block / flag / delay / whatever based upon it.

I use Spamhaus with SpamAssassin, but I don't block or deny. It just adds to the spam score.

Spamhaus does not block. Spamhaus just lists.

Mail admins block.

Re:Minor nit-pick.

[fractalus]

Let's be truly clear. Mail admins block, but by using Spamhaus's list, they are effectively taking Spamhaus's word that mail from that domain is worth blocking. They are ceding a certain amount of control over their mail server. For every mail admin to research every spammer would be a major waste of human time, so instead mail admins trust someone else to do that research for them and maintain the list. It's more efficient, but it means you have to trust the organization maintaining the list not to abuse it.

Blacklists suck. Whitelists suck. Spam sucks. We do the best with what we've got. But for Spamhaus to pretend that they don't know that adding an IP to their list will result in it being blocked from delivering mail to a vast portion of the net is disingenuous. That's exactly why they list large blocks of IPs: because it prevents mail from being delivered, applying pressure to the ISP because their customers are angry. If a listing truly had no effect, they wouldn't do it. (Never mind the ethics of harming uninvolved parties in order to attack the party you dislike; it's the same tactic as another group whose label begins with "t" uses.)

Do I use Spamhaus? Yes. Is a Spamhaus listing alone enough to get mail blocked on my server? Nope. It's just another vote of no-confidence for a particular message. Do I loathe spammers? You betcha. But Spamhaus shouldn't pretend they're not a blocking list. And these spammers should be laughed out of court, the rat bastards.

One last time...

Spamhaus implicitly asked the court to take jurisdiction when they ask for the case to be transferred from state to federal court.

If they had done nothing, the court probably would have dismissed the charges for lack of jurisdiction.

If they had asked the court to drop the charges because they were a UK entity and a US court doesn't have jurisdiction, the court probably would have agreed.

But no, they explicitly asked for the case to be transferred to federal court, implicitly acknowledging the jurisdiction of the court and then they never came back.

The judge is saying, "You asked for this. We went to a lot of trouble to accommodate you. Where are you? If you don't show up, I'll have to find for the plantiff."

They shot themselves in their own foot.

Matthew Prince has a good summary.

Missing the underlying problem

[dpilot]

The real problem here is that spam is considered an "annoyance" and is legislatively treated as such. In that light, it becomes "my business model, revenue, and profitability" vs "your annoyance" vs "their attempts to help others deal with spam." It also gets into a delightfully grey realm of defining "spam" vs "legitimate commercial email." Because these aren't simple issues, and the defined reason to stop spam is "annoyance," nothing substantive happens.

Think differently...

From what I've heard, spam constitutes something over half the traffic on the Internet. Think of blocking half of a water main, or half of a sewer, or half the lanes on the highway. No doubt at all that this would be considered more than just "an annoyance," but that's pretty much what spam is doing each and every day. Look at the legislative "encouragement" to build more bandwidth and the end-to-end compromises being threatened, but in reality we're wasting over half of what we've got, already. Spam is much more serious than just an annoyance.

How's this for an idea - link it to terrorism!
Imagine for a moment that you want to transmit secret, untracable terror plans all around the world. Simply put "V1agra" on the subject line, send it to EVERYBODY, and you're pretty much guaranteed that NOBODY will read it. You could probably send your plans in clear-text safely, but steganography would be advisable.
So here it is... Spam is really a secret terrorist communications channel! It needs to be stopped!

Re:Shoulda seen this coming...

[linuxhansl]

Please think of this the next time when a court from another country tries to tell you what a US bases company can do. Maybe US citizen should fly to Iran to defend themselves in trial there?

Spamhaus is in the UK. The court in the US. End of story.

I hope ICANN pulls the DNS records; that will be the final sign for the EU and other parties to take control over their own domains.

If Spamhaus is not liked here, have the US build a huge firewall around the country to "protect" itself.

Re:Shoulda seen this coming...

[masklinn]

Works the other way too dude.

Let's say that you're posting WWII revisionism on an american website. You're protected by the 1st amendment.

Now the website is browsable from... say... France. France has laws against revisionism, so your post is a crime as far as the french law is concerned. Since your post arrived to france, it falls under french juridiction, your crime -- in your own opinion -- was comitted in France even though there was no crime comitted in the USA (interresting isn't it?), and you could be extraded to France to be judged and put in prison.

Fun isn't it?

Becomes much funnier when you put "interresting" countries into play, like, say, China.

Now,now

[Kludge]

For shame!
Their web site has lots of useful information.
And I think you should get it all with
wget -r http://www.e360insight.com/
Repeatedly, if necessary.

I will explain this because I'm tired of this arg

[hummassa]

the service Spamhaus does is done via DNS records
when my email server receive some mail from 1.2.3.4, it looks up 4.3.2.1.sbl-xbl.spamhaus.org and, if the address exists, it closes the connection (so that the mail won't even clog our intertubes). Now, I already changed it to look up 4.3.2.1.sbl-xbl.spamhaus.org.uk, but other 650 MILLION servers still have to do the same. Because if they don't, and this judge thinks it should call, their email load will get up by 20x or so. Got it now?

This was a good court decision.

[WhiteWolf666]

Guys, I know that everyone (oddly enough, especially Europeans) want to make this into a Europe v. U.S. issue, but it isn't.

A. First, Spamhaus argued that this case belongs in U.S. Federal Court. That's mistake number one; you don't tell a judge that your case belongs in a certain court, and then refuse to show up. Even odder, they say this, "But, to ensure this doesn't happen we are working with lawyers to find a way to both appeal/contest the ruling and stop further nonsense by this spammer." The question is, why didn't you guys work with lawyers before hand?

Take a look at http://www.spamhaus.org/legal/answer.lasso?ref=3 . Spamhaus makes a compelling case there as to why the court should not have jurisidction over them. So why would you _not_ present this evidence in court; especially after you've already told a court that they DO have jurisidiction over you.

B. Look at Spamhaus.org (or a mirror, if you can now). What logos does Spamhaus display on their "About Spamhaus" page. I'll cut and paste the organization names, about whom Spamhaus says, "Spamhaus works with many Law Enforcement agencies and cyber-crimes teams worldwide, assisting investigations and compiling evidence on illegal spam operations. Our main working partners are:"

1. Federal Bureau of Investigation
2. National Cyber-Forensics and Training Alliance
3. United States Postal Inspection Service
4. National White Collar Crime Center
5. Internet Crime Complaint Center
6. Department of the Treasury
7. Internal Revenue Service

When you work with this group of U.S. government services, and claim that they are your first line of working partners, it's difficult to argue that U.S. courts should have no standing over you.

C. Spamhaus does business in the U.S.! :

Spamhaus makes this claim, which I do think is one that would require discussion in court:
"
Claim: An Illinois court has jurisdiction over Spamhaus in the United Kingdom because Spamhaus does business in the State of Illinois.

This statement is false. Spamhaus does no business in the State of Illinois. Spamhaus has no office or agent in the State of Illinois nor any affiliation with any Illinois resident or entity. Spamhaus is a British organization and is not subject to Illinois County Court jurisdiction. Spamhaus advises Mr. Linhardt to re-file his case in the proper venue, a law court in the United Kingdom.
"

Consider that Spamhaus has a public mirror (perhaps several) in the U.S., over which Spamhaus has tight control. Furthermore, consider that Spamhaus sells a Datafeed service to U.S. residents. On http://www.spamhaus.org/datafeed/pricecalculator.l asso , prices are listed in Dollars, not Euros.

Given that they sell this service, and given that they manage servers in the U.S., it is difficult to argue that they don't do business in the U.S., and certainly is an issue for substantive debate. Not something you can win by default, and certainly something that a non-technical Judge would (fairly) decide without a defense.

Summary: The Judge, in this case, made a good decision. A company brought forth a fairly legitimate looking claim, one which may be somewhat feeble but had some legal grounding. The defense argured that it was not within Illinois's jurisidction, which *is* true, and then argued that it belonged in Federal court. The illinois judge said, "fine". Spamhaus then proceeded to ignore the federal court.

What did they expect?

They should have argued from the begining that this did not belong in U.S. courts at all, and the proper jurisidiction would be Britain. That *might* have been a lengthy discussion, because Spamhaus does, indeed, offer services within the U.S. for pay, as well as free listing services; and being listed on a spam list may or may not interact with libel laws.

Either way, I think Spamhau