Most of the email I receive these days is spam, yet I’ve never purchased anything advertised in a piece of unsolicited commercial email. I’m not even sure that I’ve ever clicked on a link sent to me in a piece of unsolicited commercial email.
I haven’t found any good method of blocking spam. Fortunately, I have a broadband connection, so things aren’t as bad as they could be. But whenever I travel and find myself connecting via modem, I’m constantly frustrated by the significant amount of time I have to spend downloading junk mail, which is sometimes billed at exorbitant hotel or foreign telephone rates. So you’d think that I’d be somewhat sympathetic to the efforts of groups that create blackhole lists.
For those of you unfamiliar with a blackhole list, it’s a list that’s typically maintained by volunteer antispam advocates. It contains the IP addresses and domain names of certain mail servers allegedly used to send unsolicited email messages en masse. When an Internet service provider subscribes to one or more of the blackhole lists, any inbound email to its service originating from a mail server on the lists is automatically rejected. The subscriber to a blackhole list doesn’t filter based on the actual content of the email, just its place of origin, which makes this practice a fairly crude tool. It blocks all messages from specific locations regardless of content.
Anyone who finds his or her mail server erroneously listed on a blackhole list can usually get off the list by establishing that he or she has remedied whatever server insecurity spammers exploited. At least that’s how it works in theory.
I don’t run an insecure mail server, but mine recently found its way onto a blackhole list. I’ve tried to get off the list, but to no avail. I’ve become just another victim of vigilante justice on the Internet.
The Wrong Guy
One day back in March, I tried to send a friend of mine an email. It bounced. The mail server that rejected my message sent a polite note back explaining that the address of my mail server was now listed on its ISP’s blackhole list.
Over the next two weeks, the circle of people to whom I could send email started to shrink. Soon, even my father’s email address was off-limits to me.
The primary way to get on a blackhole list is to run an open relay. For various reasons having to do with access to networks and efforts to conceal their identities, senders of mass unsolicited email predominantly exploit such relays. An open relay accepts mail from anyone in the world and relays it to whomever is listed in the address. Most mail servers aren’t open relays. They accept mail only from subscribers to that network’s services, or from a set of persons specifically identified on the server. In spite of grass roots efforts to close the open relays, there are still more than a few of them out there.
Not Guilty
My mail server, however, was not an open relay. I have no idea who first submitted my name to a blackhole list operator in Denmark, but sometime in March of this year the operator added my mail server to its list. The first time the service was used to reject a piece of my mail, the rejection came accompanied by an explanation of why I was on the list and what I could do to be removed from it. The explanation was that I was running an open relay. How could I get off the list? That was simple, the message said. Close the open relay, and send a message to the operator’s server asking to be re-scanned.
Of course, as I mentioned, my mail server was never an open relay in the first place. So in response to the rejection message I received, I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay. I was sure that there had been some mistake and that on a second try, it would realize the error in its initial judgment. Shortly after I submitted my request, I sat down to monitor my mail logs. This time I saw the service in Denmark address my mail server. I watched my mail server accept the message and then pass the piece of email back to the Danish mail server. The Danish server promptly sent a message saying that my server was still operating as an open relay.
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That’s not an open relay. Unless you’re a user in my domain, you can’t use it.
Blocked
The group based in Denmark had pretended to be me, forged an email as though it had come from an address that only I am authorized to use, passed it through the mail server in my house, and then placed me on a list of people who should be blocked from sending mail. They circulated that list around the world. ISPs used by my friends and family here the United States subscribed to this list. Now, through no fault of my own—and in fact because of the trickery of Danish email activists—I was no longer able to send email to many people in my address book.
It’s hard to describe how angry this made me. The Danish consortium had lied about their identity, and I was paying for it.
The worst thing about being blacklisted, however, wasn’t that I could no longer send email, but that spammers began actively trying to use my mail server to send their spam. You see, blackhole lists work both ways. ISPs use it to block traffic, but as I’ve recently discovered, the spammers themselves use the lists as a kind of directory of servers to use for sending their mail.
If you look at my mail server logs, you’ll see that every few seconds or so, someone, somewhere tries to access my mail server and use it to send mail. Each time, without fail, my mail server declines the request and refuses to relay the requested message. It isn’t an open relay. It’s just doing its job. But my machine is bombarded with requests from all over the world from spammers seeking to use its minimal capabilities to send their penis enlarging, breast enhancing, get-rich-quick messages.
My Rights
But, hey, I’m a lawyer, right? I’m supposed to be able to solve this kind of dilemma. And there are a few things I could do.
For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property. As I’ve discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Granted, the damage caused by my inability to send an email is likely not terribly significant. You can always pick up the phone, print the message out, and fax it or mail itÉor just use a different mail server. But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.
The problem, of course, is that the loose organization of individuals who compiled the blackhole list is based in Denmark. Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals. However, they do have a domain name, and an IP address, and they circulate their work to ISPs around the world. In other words, there is a group for me to sue. But taking legal action on foreign entities is difficult. I would have to translate my legal documents into Danish. I would have to hire someone in Denmark to personally deliver these translated documents to the entity that I would be suing. That costs time and money.
But I could sue them here in Los Angeles, California, that much I know. By sending their forged email through my mail server, which is located in my den in Los Angeles, they fulfilled certain California legal requirements that would let me sue them here. The connection to Los Angeles is also bolstered by the fact that I live here and my injury was suffered here.
Of course, all of this is starting to sound like the kind of hypothetical legal conundrum that you might find on a law school exam. Problems like mine often remain hypothetical because the expense of bringing them to trial is so great, and the ability to gain any monetary relief from lawsuits is minimal. That’s why the black hole providers have been able to get away with their vigilante justice for so long. For any individual user wronged by their efforts—and from what I understand, there are a lot of people in similar situations—the costs of pursuing these organizations, which are often located overseas, is too great. These groups of volunteer organizations have no assets to speak of—they are volunteers after all—and plaintiffs’ lawyers are hesitant to take a case without the prospect of a lucrative damages judgment.
The Case
Before you think that this is all just about me and the fact that my father no longer receives any email from me, there are bigger policy implications for private individuals and companies that take steps to block connectivity. Much bigger.
I’ve long championed the idea that the Internet should remain largely unregulated by governments. But at the same time, any private operator at an end point in the Internet’s architecture can restrict the flow of content to a user. What’s wonderful about the Internet is that it enables end-to-end communication from anywhere in the world to anywhere in the world. For all of the problems caused by spam, email is still the most widely used application on the Internet. So the idea that private parties could get ISPs to block some
…
martijn wrote:
> what will it be?
The engine-deal will be announced by Stoddart in Indianapolis. He also
wants to confirm both his new drivers before Suzuka.
Auke
—
" Any more miracles, and I’ll be a saint! "
- a DOT groenenboom AT student DOT tudelft DOT nl –
Blackhole lists offer dark prospects
By Bret A Fausett
New Architect
August 2002
Most of the email I receive these days is spam, yet I’ve never purchased
anything advertised in a piece of unsolicited commercial email. I’m not even sure
that I’ve ever clicked on a link sent to me in a piece of unsolicited commercial
email.
I haven’t found any good method of blocking spam. Fortunately, I have a
broadband connection, so things aren’t as bad as they could be. But whenever
I travel and find myself connecting via modem, I’m constantly frustrated by the
significant amount of time I have to spend downloading junk mail, which is
sometimes billed at exorbitant hotel or foreign telephone rates. So you’d think
that I’d be somewhat sympathetic to the efforts of groups that create blackhole
lists.
For those of you unfamiliar with a blackhole list, it’s a list that’s typically
maintained by volunteer antispam advocates. It contains the IP addresses and
domain names of certain mail servers allegedly used to send unsolicited email
messages en masse. When an Internet service provider subscribes to one or
more of the blackhole lists, any inbound email to its service originating from a
mail server on the lists is automatically rejected. The subscriber to a blackhole
list doesn’t filter based on the actual content of the email, just its place of
origin, which makes this practice a fairly crude tool. It blocks all messages from
specific locations regardless of content.
Anyone who finds his or her mail server erroneously listed on a blackhole list
can usually get off the list by establishing that he or she has remedied
whatever server insecurity spammers exploited. At least that’s how it works in
theory.
I don’t run an insecure mail server, but mine recently found its way onto a
blackhole list. I’ve tried to get off the list, but to no avail. I’ve become just
another victim of vigilante justice on the Internet.
The Wrong Guy
One day back in March, I tried to send a friend of mine an email. It bounced. The
mail server that rejected my message sent a polite note back explaining that
the address of my mail server was now listed on its ISP’s blackhole list.
Over the next two weeks, the circle of people to whom I could send email
started to shrink. Soon, even my father’s email address was off-limits to me.
The primary way to get on a blackhole list is to run an open relay. For various
reasons having to do with access to networks and efforts to conceal their
identities, senders of mass unsolicited email predominantly exploit such relays.
An open relay accepts mail from anyone in the world and relays it to whomever
is listed in the address. Most mail servers aren’t open relays. They accept mail
only from subscribers to that network’s services, or from a set of persons
specifically identified on the server. In spite of grass roots efforts to close the
open relays, there are still more than a few of them out there.
Not Guilty
My mail server, however, was not an open relay. I have no idea who first
submitted my name to a blackhole list operator in Denmark, but sometime in
March of this year the operator added my mail server to its list. The first time
the service was used to reject a piece of my mail, the rejection came
accompanied by an explanation of why I was on the list and what I could do to
be removed from it. The explanation was that I was running an open relay. How
could I get off the list? That was simple, the message said. Close the open
relay, and send a message to the operator’s server asking to be re-scanned.
Of course, as I mentioned, my mail server was never an open relay in the first
place. So in response to the rejection message I received, I asked the blackhole
list service if it would kindly re-scan my mail server and make another
determination as to whether it was an open relay. I was sure that there had
been some mistake and that on a second try, it would realize the error in its
initial judgment. Shortly after I submitted my request, I sat down to monitor my
mail logs. This time I saw the service in Denmark address my mail server. I
watched my mail server accept the message and then pass the piece of email
back to the Danish mail server. The Danish server promptly sent a message
saying that my server was still operating as an open relay.
How had it gained access to my mail server? Simple. It had forged the headers
on its email to convince my mail server that the email it sent was from a
permitted user. You see, my mail servers were set up to pass mail only from a
domain name of which I am the only user. It blocks everything else. That’s not
an open relay. Unless you’re a user in my domain, you can’t use it.
Blocked
The group based in Denmark had pretended to be me, forged an email as
though it had come from an address that only I am authorized to use, passed it
through the mail server in my house, and then placed me on a list of people
who should be blocked from sending mail. They circulated that list around the
world. ISPs used by my friends and family here the United States subscribed to
this list. Now, through no fault of my own—and in fact because of the trickery of
Danish email activists—I was no longer able to send email to many people in my
address book.
It’s hard to describe how angry this made me. The Danish consortium had lied
about their identity, and I was paying for it.
The worst thing about being blacklisted, however, wasn’t that I could no longer
send email, but that spammers began actively trying to use my mail server to
send their spam. You see, blackhole lists work both ways. ISPs use it to block
traffic, but as I’ve recently discovered, the spammers themselves use the lists
as a kind of directory of servers to use for sending their mail.
If you look at my mail server logs, you’ll see that every few seconds or so,
someone, somewhere tries to access my mail server and use it to send mail.
Each time, without fail, my mail server declines the request and refuses to relay
the requested message. It isn’t an open relay. It’s just doing its job. But my
machine is bombarded with requests from all over the world from spammers
seeking to use its minimal capabilities to send their penis enlarging, breast
enhancing, get-rich-quick messages.
My Rights
But, hey, I’m a lawyer, right? I’m supposed to be able to solve this kind of
dilemma. And there are a few things I could do.
For one, the Danish antispam organization falsified an email header to gain
access to my mail server. Illegal access to a computer system is, if not a criminal
violation, then a trespass on my private property. As I’ve discussed previously
in this space, one of the novel legal theories now catching on for these kinds of
unacceptable accesses to computer systems is a centuries-old tort called
"trespass to chattels." At a minimum, I ought to be able to sue the Danish
company for the damage it caused me from its illegal access.
Granted, the damage caused by my inability to send an email is likely not
terribly significant. You can always pick up the phone, print the message out,
and fax it or mail itÉor just use a different mail server. But in spite of all that, I
could probably get an injunction, or least a dollar or two to compensate me for
my injuries and establish that I have been wronged.
The problem, of course, is that the loose organization of individuals who
compiled the blackhole list is based in Denmark. Who knows whether the
organization is a real legal entity or just some name cooked up by a group of
self righteous individuals. However, they do have a domain name, and an IP
address, and they circulate their work to ISPs around the world. In other words,
there is a group for me to sue. But taking legal action on foreign entities is
difficult. I would have to translate my legal documents into Danish. I would have
to hire someone in Denmark to personally deliver these translated documents
to the entity that I would be suing. That costs time and money.
But I could sue them here in Los Angeles, California, that much I know. By
sending their forged email through my mail server, which is located in my den in
Los Angeles, they fulfilled certain California legal requirements that would let me
sue them here. The connection to Los Angeles is also bolstered by the fact that
I live here and my injury was suffered here.
Of course, all of this is starting to sound like the kind of hypothetical legal
conundrum that you might find on a law school exam. Problems like mine often
remain hypothetical because the expense of bringing them to trial is so great,
and the ability to gain any monetary relief from lawsuits is minimal. That’s why
the black hole providers have been able to get away with their vigilante justice
for so long. For any individual user wronged by their efforts—and from what I
understand, there are a lot of people in similar situations—the costs of pursuing
these organizations, which are often located overseas, is too great. These
groups of volunteer organizations have no assets to speak of—they are
volunteers after all—and plaintiffs’ lawyers are hesitant to take a case without
the prospect of a lucrative damages judgment.
The Case
Before you think that this is all just about me and the fact that my father no
longer receives any email from me, there are bigger policy implications for
private individuals and companies that take steps to block connectivity. Much
bigger.
I’ve long championed the idea that the Internet should remain largely
unregulated by governments. But at the same time, any private operator at an
end point in the Internet’s architecture can restrict the flow of content to a user.
What’s wonderful about the Internet is that it enables end-to-end
communication from anywhere in the world to anywhere in the world. For all of
the problems caused by spam, email is still the most widely used application on
the Internet. So the idea that private parties could get ISPs to block some
…
read more »