Lawsuit threat against RBL users

Thu Nov 19 21:08:46 UTC 1998

On Thu, Nov 19, 1998 at 12:51:05PM -0800, George Herbert wrote:
> 
> Karl Denninger <karl at Denninger.Net> writes:
> >The problem with this is that someone, sooner or later, is going to 
> >take a run at people trying to set up what amounts to a set of contractual
> >requirements that exceed legal requirements - and then enforce them network
> >wide.
> >The collusive aspect of this is downright scary, especially when coupled
> >with threats of depeering, active denial of service attacks, etc.
> >I happen to be an "anti-spammer", but when you get to the point that you
> >start telling people what they have to put in their contracts as an industry,
> >such that if Person #1 commits an act on a *completely unrelated* system
> >they get their contract voided you're treading on very, very thin ice.
> >That looks an awful lot like an industry-wide blacklist, and those are
> >dangerously close to being per-se illegal.
> 
> Let's put two scenarios forwards.
> 
> Scenario 1:
> Company A has a web site hosted at ISP Z, and a bunch of throwaway
> dialup accounts on ISPs P, Q, R, and S.  A spams ads for the web site
> on ISP Z via those throwaway dialups.  P, Q, R, and S kill the dialup
> accounts used; people also complain to Z.  If Z fails to close the
> web site that was spam advertised, someone complains to RBL who 
> blackhole the web site server.
> 
> Scenario 2:
> Company B has a set of web sites for various subsidiaries,
> hosted at ISPs T, U, and V.  The marketing department for the
> group hosted at T spams via a bunch of dialups.  People complain
> and dialups get nuked; people also complain to T, U and V asking that
> B be nuked.  It isn't, so it gets reported to RBL and MAPS do thier
> thing on the website servers at T, and also on U and V which were not
> involved in the initial spam but are related to the company.
> 
> In the first case, there is clearly a connection between the
> spamming and the website that gets RBLed; it was directly advertised
> by the spams.  That direct link is sufficient under current RBL rules
> and meets my definition of terminatable customer.
> 
> In the second case, one of the sites meets the above definition, 
> but the sites at U and V (which may be for completely unrelated
> subsidiaries or groups within B) don't necessarily.  This might
> begin to approach an illegal blacklist.
> 
> The question is, are any cases similar to scenario 2 actually happening?
> As far as I know, no.  Companies that have many websites that are having
> all their ISPs pressed to nuke them generally are spamming to advertise
> most or all of them, not just one or a few.  

Ok, let's put another scenario out there, one which IS somewhat likely:

Company A has a web site hosted at ISP Z, and a bunch of throw-away dial-up
accounts on ISPs P, Q, R and S.  They spam through P, Q, R and S, advertising
the site hosted at ISP Z and giving a "freemail" (ie: hotmail, juno, etc) 
reply EMAIL address.  All four of those dial providers cut *THE SPAMMER* 
off.

The spammed people also complain to ISP Z, and ISP Z tells the complainers 
to stuff it, because (1) there is no PROOF that Company "A" actually did
the spamming, and (2) no offensive data was emitted by ISP Zs machines.

ISP Z gets RBLd, even though *ISP Z* was not a party to the spamming, 
and ISP Z *never touched or emitted the spam*.  Worse, what gets RBLd
is ISP Zs mail server, which (if Company A is web hosting there ONLY) 
was not only uninvolved, but is irrelavent to the offense (since ISP Z
only sold Company "A" web service).

ISP Z has just had its business policies dictated by unrelated people and
NOT because they committed (either directly or through a customer acting
on their system) an offense - further, OTHER customers of ISP Z (who buy 
mail service from them) have been harmed, even though (1) ISP Z wasn't 
involved in the infraction, (2) Company "A" didn't do anything objectionable
*ON* ISP Z, or THROUGH ISP Zs equipment, and (3) the sanction is not in any 
way related to the offense (ISP Zs mail service is damaged, although their 
mail server was not abused, and in fact Company A doesn't get their mail 
through ISP Z).

Now, ISP Z has 500 customers, inclusive of Company "A".  499 other 
customers lose email connectivity to a significant number of people.

Who has the liability problem?

Now add a twist - Company "A" disavows SENDING the spam, and ISPs P, Q, R 
and S refuse to disclose the identity of the terminated customer since 
they have strong privacy policies.

Now what?

Now add a far worse twist - Company "A" does the spamming through an
*anonymous remailer* which destroys the logs on the transactions.  Now
there is no P, Q, R or S, nor is there any way to PROVE that Company A
sourced the spam.

See, the case where ISP "P" tells MAPS to go blow is simple - the spam 
was sent through ISP P, their systems were involved, there is PROOF that 
the data was sourced from the offending system.  Ergo, you're punishing
the offender and it might stand up in a fight.

"Third-party" blacklisting, where the offense is that someone is RESIDENT
on your system (not that they abused others FROM your system) is, IMHO, 
dangerously close to the line.  You're not punishing an *action*, you're
punishing someone for associating with a PERSON.

I don't like the liability posture on that at all.

The real culprit here, IMHO, is allowing no-verification, no-deposit
throw-away accounts.  To support a *marketing* decision the industry
creates a *personal* blacklist?  

That looks dangerous to me, but IANAL.

--
-- 
Karl Denninger (karl at denninger.net) http://www.mcs.net/~karl
I ain't even *authorized* to speak for anyone other than myself, so give
up now on trying to associate my words with any particular organization.