Blind Vigilantes

From: Bret A Fausett <bret_at_lexqwhi0kh.com>
Date: Tue, 17 Sep 2002 20:11:49 GMT
Message-ID: <94c3da3a.2e3840bc_at_lex2zelu0y.com>



Blackhole lists offer dark prospects

By Bret A Fausett

New Architect
August 2002

Most of the email I receive these days is spam, yet I've never purchased anything advertised in a piece of unsolicited commercial email. I'm not even sure that I've ever clicked on a link sent to me in a piece of unsolicited commercial email.

I haven't found any good method of blocking spam. Fortunately, I have a broadband connection, so things aren't as bad as they could be. But whenever I travel and find myself connecting via modem, I'm constantly frustrated by the significant amount of time I have to spend downloading junk mail, which is sometimes billed at exorbitant hotel or foreign telephone rates. So you'd think that I'd be somewhat sympathetic to the efforts of groups that create blackhole lists.

For those of you unfamiliar with a blackhole list, it's a list that's typically maintained by volunteer antispam advocates. It contains the IP addresses and domain names of certain mail servers allegedly used to send unsolicited email messages en masse. When an Internet service provider subscribes to one or more of the blackhole lists, any inbound email to its service originating from a mail server on the lists is automatically rejected. The subscriber to a blackhole list doesn't filter based on the actual content of the email, just its place of origin, which makes this practice a fairly crude tool. It blocks all messages from specific locations regardless of content.

Anyone who finds his or her mail server erroneously listed on a blackhole list can usually get off the list by establishing that he or she has remedied whatever server insecurity spammers exploited. At least that's how it works in theory.

I don't run an insecure mail server, but mine recently found its way onto a blackhole list. I've tried to get off the list, but to no avail. I've become just another victim of vigilante justice on the Internet.

The Wrong Guy

One day back in March, I tried to send a friend of mine an email. It bounced. The mail server that rejected my message sent a polite note back explaining that the address of my mail server was now listed on its ISP's blackhole list.

Over the next two weeks, the circle of people to whom I could send email started to shrink. Soon, even my father's email address was off-limits to me.

The primary way to get on a blackhole list is to run an open relay. For various reasons having to do with access to networks and efforts to conceal their identities, senders of mass unsolicited email predominantly exploit such relays. An open relay accepts mail from anyone in the world and relays it to whomever is listed in the address. Most mail servers aren't open relays. They accept mail only from subscribers to that network's services, or from a set of persons specifically identified on the server. In spite of grass roots efforts to close the open relays, there are still more than a few of them out there.

Not Guilty

My mail server, however, was not an open relay. I have no idea who first submitted my name to a blackhole list operator in Denmark, but sometime in March of this year the operator added my mail server to its list. The first time the service was used to reject a piece of my mail, the rejection came accompanied by an explanation of why I was on the list and what I could do to be removed from it. The explanation was that I was running an open relay. How could I get off the list? That was simple, the message said. Close the open relay, and send a message to the operator's server asking to be re-scanned.

Of course, as I mentioned, my mail server was never an open relay in the first place. So in response to the rejection message I received, I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay. I was sure that there had been some mistake and that on a second try, it would realize the error in its initial judgment. Shortly after I submitted my request, I sat down to monitor my mail logs. This time I saw the service in Denmark address my mail server. I watched my mail server accept the message and then pass the piece of email back to the Danish mail server. The Danish server promptly sent a message saying that my server was still operating as an open relay.

How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user. You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.

Blocked

The group based in Denmark had pretended to be me, forged an email as though it had come from an address that only I am authorized to use, passed it through the mail server in my house, and then placed me on a list of people who should be blocked from sending mail. They circulated that list around the world. ISPs used by my friends and family here the United States subscribed to this list. Now, through no fault of my own—and in fact because of the trickery of Danish email activists—I was no longer able to send email to many people in my address book.

It's hard to describe how angry this made me. The Danish consortium had lied about their identity, and I was paying for it.

The worst thing about being blacklisted, however, wasn't that I could no longer send email, but that spammers began actively trying to use my mail server to send their spam. You see, blackhole lists work both ways. ISPs use it to block traffic, but as I've recently discovered, the spammers themselves use the lists as a kind of directory of servers to use for sending their mail.

If you look at my mail server logs, you'll see that every few seconds or so, someone, somewhere tries to access my mail server and use it to send mail. Each time, without fail, my mail server declines the request and refuses to relay the requested message. It isn't an open relay. It's just doing its job. But my machine is bombarded with requests from all over the world from spammers seeking to use its minimal capabilities to send their penis enlarging, breast enhancing, get-rich-quick messages.

My Rights

But, hey, I'm a lawyer, right? I'm supposed to be able to solve this kind of dilemma. And there are a few things I could do.

For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property. As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.

Granted, the damage caused by my inability to send an email is likely not terribly significant. You can always pick up the phone, print the message out, and fax it or mail itÉor just use a different mail server. But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.

The problem, of course, is that the loose organization of individuals who compiled the blackhole list is based in Denmark. Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals. However, they do have a domain name, and an IP address, and they circulate their work to ISPs around the world. In other words, there is a group for me to sue. But taking legal action on foreign entities is difficult. I would have to translate my legal documents into Danish. I would have to hire someone in Denmark to personally deliver these translated documents to the entity that I would be suing. That costs time and money.

But I could sue them here in Los Angeles, California, that much I know. By sending their forged email through my mail server, which is located in my den in Los Angeles, they fulfilled certain California legal requirements that would let me sue them here. The connection to Los Angeles is also bolstered by the fact that I live here and my injury was suffered here.

Of course, all of this is starting to sound like the kind of hypothetical legal conundrum that you might find on a law school exam. Problems like mine often remain hypothetical because the expense of bringing them to trial is so great, and the ability to gain any monetary relief from lawsuits is minimal. That's why the black hole providers have been able to get away with their vigilante justice for so long. For any individual user wronged by their efforts—and from what I understand, there are a lot of people in similar situations—the costs of pursuing these organizations, which are often located overseas, is too great. These groups of volunteer organizations have no assets to speak of—they are volunteers after all—and plaintiffs' lawyers are hesitant to take a case without the prospect of a lucrative damages judgment.

The Case

Before you think that this is all just about me and the fact that my father no longer receives any email from me, there are bigger policy implications for private individuals and companies that take steps to block connectivity. Much bigger.

I've long championed the idea that the Internet should remain largely unregulated by governments. But at the same time, any private operator at an end point in the Internet's architecture can restrict the flow of content to a user. What's wonderful about the Internet is that it enables end-to-end communication from anywhere in the world to anywhere in the world. For all of the problems caused by spam, email is still the most widely used application on the Internet. So the idea that private parties could get ISPs to block some people from talking to other people should be deeply troublesome.

The Danish blackhole list operators want to block access to computers that might be used for spam, but it's easy to imagine blacklists used for less noble purposes. For example, imagine that the RIAA compiled a list of IP addresses which, it contended, had at some time used peer-to-peer file sharing programs. Because these peer-to-peer systems could transmit copyrighted materials in a way that infringes on the copyright owner's rights, the RIAA could argue, those IP addresses should be blocked. It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.

Breaking end-to-end connectivity for any application, whether email or peer-to-peer or the Web, threatens the very thing that makes the Internet valuable. These are matters of principle. Which reminds me— I have a lawsuit to file.

Bret is an intellectual property and Internet attorney with Hancock, Rothert & Bunshoft. You can reach him at bret_at_lextext.com.

--
It might weekly taste around think upper rivers.























Almost no lost codes cover Ayman, and they nearly fill Sharon too.
Received on Tue Sep 17 2002 - 22:11:49 CEST

Original text of this message