| 
blacklists
This page considers spam blacklists.
It covers -
- introduction
- statistics
- how many blacklists, how many users?
- controversies
- irresponsible vigilantes or essential actors
- cases
- selected litigation in the US and elsewhere about
use of blacklists
- responses
- DOS and other 'direct action' by spammers
introduction
ISPs and other entities
have sought to reduce the impact of spam by excluding
junk mail through black, white and grey lists. Those lists
serve as filters and are analogous to lists
used by schools, businesses and other entities in managing
access to web sites.
-
a blacklist is an access control mechanism that excludes
messages that match addresses or other information on
that blacklist.
- a
whitelist restricts access to members of that list
-
a greylist serves as a temporary blacklist, used for
example to exclude badly-configured email
clients that may be used to send spam.
Many ISPs and individual organisations use email blacklists
to exclude what is (or might be) spam. Those lists often
encompass mail from one or more of the following specific
-
- IP
addresses
- email
addresses
- domain
names
- ISPs.
Notions
of a public 'do not email' registry are considered here
as part of discussion of Australian and overseas Do Not
Call register schemes.
statistics
How many black, white and grey lists are in operation?
How many users rely on them?
The answers to those questions are obscure. It is clear
that many ISPs and large network operators, including
Australian government agencies, rely on blacklists compiled
by for-profit and not-for-profit organisations in Australia
and overseas. There has been no authoritative report on
the number of users of blacklists or the 'market share'
of particular blacklists.
There has similarly been no comprehensive study of the
number of blacklists. It is clear that a large number
of blacklists have been created and that new lists continue
to appear, although a handful of services appear to have
gained the acceptance of major operators.
In December 2006 the Open Relay Database (ORDB) announced
that it was closing ...
The
general consensus within the team is that open relay
RBLs [relay blocking lists] are no longer the most effective
way of preventing spam from entering your network as
spammers have changed tactics in recent years, as have
the anti-spam community.
Closure
was attributed to the shift by spammers from use of open
mail relays (SMTP proxy servers) - claimed to account
for 90% of spam but down to 1% in late 2006 - to botnets,
ie infected personal computers. ORDB said ISPs and other
chokepoints should remove its lists immediately and
consider other methods of spam management.
controversies
Blacklists are contentious because they are privately
operated and can directly affect the commercial interests
of entities that are spamming or are merely alleged to
be spamming.
They have been welcomed by many ISPs, corporate network
operators and anti-spam activists. They have been tacitly
endorsed by a range of agencies.
They have also been damned by spammers, with milder condemnation
by some cyberlibertarians who are concerned about constraints
on free speech or question the accountability of list
operators.
Gadfly John Gilmore famously quipped
For
Joe Blow to refuse emails is legal (though it's bad
policy, akin to "shooting the messenger").
But if Joe and ten million friends all gang up to make
a blacklist, they are exercising illegal monopoly power.
Particularly when they add to their "gang"
by threatening each outsider in turn with being blacklisted
until they join the gang.
Disagreement within the 'blacklist community' is also
evident, with some participants claiming that others are
'cowboys' or biased.
Blacklist operators may not be located in a particular
jurisdiction (and thus not subject to that jurisdiction's
law) and may not feature effective mechanisms for review
of decisions or even information about how non-specialists
can contact them.
The basis for inclusion of information on a particular
list is not necessarily verified. Criteria for listing
are often unclear. Mechanisms for removal of incorrect
information may also be uncertain.
That is of concern, given criticisms that particular lists
have been operated by inept vigilantes and because inappropriate
inclusion on a list can damage an address owner or ISP.
Members of the Global Internet Liberty Campaign (GILC)
and the Internet Free Expression Alliance (IFEA) warned
of 'stealth blocking' as
not
in keeping with the principle that end users should
decide what to view and with whom to communicate, object
to the practice of Internet Service Provider "stealth
blocking." This concerns ISPs that do not bill
themselves as filtered service providers but intentionally
block their customers from accessing certain Web sites
or sending mail to users at certain other ISPs. "Stealth"
blocking is done undetectably, so users only see a browser
error saying that a Web site is down or an email error
saying that the destination mail server could not be
reached. Over 99% of end users never discover that any
intentional blocking is being done.
One
observer commented in 2005 that many Australian 'mum &
dad' users are more concerned that the ISP filter all
spam, with unrealistic expectations that the intermediary
can fully exclude all junk mail.
In 2006 the OECD Task Force on Spam noted
substantial variation in the quality of antispam blacklists,
partly attributable to the absence of a general code for
their evaluation. It commented that many lists
are
poorly managed, abandoned or of dubious integrity: names
can be added quickly, the applied criteria may be unclear,
and the removal from the list may be virtually impossible.
That
comment was endorsed by Jonathan Ezor's 2006 paper
Busting Blocks: Appropriate Legal Remedies For Wrongful
Inclusion In Spam Filters Under U.S. Law.
Other critics have endorsed problematical proposals such
as national/provincial Do
Not Email (DNE) registers that would supposedly complement
Do Not Call registers.
cases
Disagreement is reflected in a range of court cases.
In 2006 for example a US federal court issued a default
ruling against British antispam organisation Spamhaus,
ordering it to pay US$11.7 million to e360insight. The
plaintiff complained that it had been improperly included
on Spamhaus's blacklist. Spamhaus did not offer a defense,
thus incurring a default judgment. The court ordered Spamhaus
to remove e360insight from the blacklist and publish an
apology.
Spamhaus feistily commented that e360insight was indeed
a spammer and would accordingly not receive such apology,
with the ruling showing that US courts "can be bamboozled
by spammers with ease". Spamhaus moreover advised
that the US court judgment was meaningless, as the blacklist
operator is based in the UK. e360insight claimed that
Spamhaus is "a fanatical, vigilante organization
that operates in the United States with blatant disregard
for U.S. law". The case was sent back to the court
on appeal in 2007.
The controversial New Zealand Open Relay Behavioural Modification
System (ORBS), under the auspices of Alan Brown,
blacklisted local ISPs Xtra and Actrix in 2001. That provoked
action in the New Zealand courts, amid assertions that
the list featured organisations with which the list operator
had commercial disputes.
The ISPs received a High Court injunction for ORBS to
stop blacklisting them; ORBS responded by circulating
their IP addresses via newsgroups. That was treated by
the lawyers as a violation of the injunction; they petitioned
the court for an arrest warrant. Brown subsequently acknowledged
that he had inappropriately blacklisted the ISPs.
Anti-spam group CAUCE commented
ORBS
is an organization that tried to do something which
I think is entirely appropriate, which is identifying
and targeting for blocking known spam sources. But the
way they went about it was very arbitrary and in some
cases came down to personal disputes between the operator
and those targeted. It was so harmful to the anti-spam
movement it's good they've been knocked out of the field.
responses
Many spammers appear to have eschewed litigation, recognising
that courts in many nations will be unsympathetic to their
breaches of anti-spam law or other offences, and have
instead resorted to 'direct action'.
That direct action has typically taken two forms -
- denial
of service attacks (aka DOS)
-
'joe jobs'.
DOS - sometimes involving distributed
denial of service (DDOS) - attacks involve use of one
or more machines to flood a server and thereby put it
offline.
DDOS has been a particular feature of action by spammers
from the former Soviet Union and its satellites since
2003, relying on virus or trojan-infected personal computers
('bots') to create large networks ('botnets') that attack
anti-spam services and blacklist providers such as Spamhaus.
Joe jobs, a form of 'identity pollution'
discussed in more detail elsewhere
on this site in considering identity crime, seek to erode
the credibility of a blacklister or merely tie up its
staff.
They involve sending email that purports to be from the
anti-spam organisation or that is supposedly endorsed
by such an organisation. That email may feature the usual
spam offers, a link to an
adult content site or virus site, or an attached nasty
such as a virus or adult graphic. Some of the more ingenious
feature threats to network administrators or individual
users that a particular blacklister "will shut them
down" if the recipient fails to comply with instructions
in the message.
Spammers have taken similar action against critics: we
for example suffer from a spammer sending mail that purports
to come from this address.
next page
(EU spam cases)
|
Ketupa
